CVE-2025-61730

medium

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

References

https://pkg.go.dev/vuln/GO-2026-4340

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

https://go.dev/issue/76443

https://go.dev/cl/724120

Details

Source: Mitre, NVD

Published: 2026-01-28

Updated: 2026-02-03

Risk Information

CVSS v2

Base Score: 4.9

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00009