Skip to content

net/mail: excessive CPU consumption in ParseAddress (CVE-2025-61725) #75680

New issue
New issue
Closed
Closed
net/mail: excessive CPU consumption in ParseAddress (CVE-2025-61725)#75680
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.26
@neild

Description

@neild
neild
opened on Sep 30, 2025

The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is CVE-2025-61725 and Go issue https://go.dev/issue/75680.

This is a PRIVATE issue for CVE-2025-61725, tracked in http://b/446728192 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/2840.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions