Skip to content

encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (CVE-2025-58185) #75671

New issue
New issue
Closed
Closed
encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (CVE-2025-58185)#75671
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.26
@nicholashusin

Description

@nicholashusin
nicholashusin
opened on Sep 30, 2025

When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.

Thanks to Jakub Ciolek for reporting this issue.

This is CVE-2025-58185 and Go issue https://go.dev/issue/75671.

This is a PRIVATE issue for CVE-2025-58185, tracked in http://b/442562525 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/2700.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions