Detections
Analytics

Golang 1.24.x < 1.24.8 / 1.25.x < 1.25.2 Multiple Vulnerabilities (qZN5nc-mBgAJ)

high Nessus Plugin ID 271201

Language:

Synopsis

An application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Golang running on the remote host is 1.24.x prior to 1.24.8, 1.25.x prior to 1.25.2. It is, therefore, affected by multiple vulnerabilities as referenced in qZN5nc-mBgAJ advisory.

 - The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: 'http://[::1]/'. IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. (CVE-2025-47912)

 - tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations. (CVE-2025-58183)

 - Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. (CVE-2025-58188)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Golang Go version 1.24.8, 1.25.2 or later.

See Also

http://www.nessus.org/u?0eff4e29

https://github.com/golang/go/issues/75678

https://github.com/golang/go/issues/75677

https://github.com/golang/go/issues/75671

https://github.com/golang/go/issues/75672

https://github.com/golang/go/issues/75681

https://github.com/golang/go/issues/75675

https://github.com/golang/go/issues/75652

https://github.com/golang/go/issues/75676

https://github.com/golang/go/issues/75716

https://github.com/golang/go/issues/75680

Plugin Details

Severity: High

ID: 271201

File Name: golang_1_25_2.nasl

Version: 1.2

Type: local

Family: Misc.

Published: 10/22/2025

Updated: 10/24/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2025-47912

CVSS v3

Risk Factor: High

Base Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Vulnerability Information

CPE: cpe:/a:golang:go

Required KB Items: installed_sw/Golang Go Programming Language

Patch Publication Date: 10/7/2025

Vulnerability Publication Date: 10/7/2025

Reference Information

CVE: CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725

IAVB: 2025-B-0177