Detections
Analytics

Amazon Linux 2 : golang, --advisory ALAS2-2025-3042 (ALAS-2025-3042)

high Nessus Plugin ID 271755

Language:

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of golang installed on the remote host is prior to 1.24.8-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-3042 advisory.

 net/url: insufficient validation of bracketed IPv6 hostnames

 The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: http://[::1]/. IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75678NOTE:
 https://github.com/golang/go/commit/9fd3ac8a10272afd90312fef5d379de7d688a58e (go1.25.2)NOTE:
 https://github.com/golang/go/commit/d6d2f7bf76718f1db05461cd912ae5e30d7b77ea (go1.24.8) (CVE-2025-47912)

 archive/tar: unbounded allocation when parsing GNU sparse map

 tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75677NOTE:
 https://github.com/golang/go/commit/2612dcfd3cb6dd73c76e14a24fe1a68e2708e4e3 (go1.25.2)NOTE:
 https://github.com/golang/go/commit/613e746327381d820759ebea6ce722720b343556 (go1.24.8) (CVE-2025-58183)

 encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion

 When parsing DER payloads, memories were being allocated prior to fully validating the payloads.This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75671NOTE:
 https://github.com/golang/go/commit/e0f655bf3f96410f90756f49532bc6a1851855ca (go1.25.2)NOTE:
 https://github.com/golang/go/commit/5c3d61c886f7ecfce9a6d6d3c97e6d5a8afb17d1 (go1.24.8) (CVE-2025-58185)

 net/http: lack of limit when parsing cookies can cause memory exhaustion

 Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.By sending a lot of very small cookies such as a=;, an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

 net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75672NOTE:
 https://github.com/golang/go/commit/100c5a66802b5a895b1d0e5ed3b7918f899c4833 (go1.25.2)NOTE:
 https://github.com/golang/go/commit/c6b04dd33b0215f5deb83724661921842bf67607 (go1.24.8) (CVE-2025-58186)

 crypto/x509: quadratic complexity when checking name constraints

 Due to the design of the name constraint checking algorithm, the processing timeof some inputs scales non- linearly with respect to the size of the certificate.

 This affects programs which validate arbitrary certificate chains.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75681NOTE:
 https://github.com/golang/go/commit/f0c69db15aae2eb10bddd8b6745dff5c2932e8f5 (go1.25.2)NOTE:
 https://github.com/golang/go/commit/f334417e71f8b078ad64035bddb6df7f8910da6c (go1.24.8) (CVE-2025-58187)

 crypto/x509: panic when validating certificates with DSA public keys

 Validating certificate chains which contain DSA public keys can cause programsto panic, due to a interface cast that assumes they implement the Equal method.

 This affects programs which validate arbitrary certificate chains.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75675NOTE:
 https://github.com/golang/go/commit/930ce220d052d632f0d84df5850c812a77b70175 (go1.25.2)NOTE:
 https://github.com/golang/go/commit/f9f198ab05e3282cbf6b13251d47d9141981e401 (go1.24.8) (CVE-2025-58188)

 crypto/tls: ALPN negotiation errors can contain arbitrary text

 The crypto/tls conn.Handshake method returns an error on the server-side when ALPN negotation fails which can contain arbitrary attacker controlled information provided by the client-side of the connection which is not escaped.

 This affects programs which log these errors without any additional form of sanitization, and may allow injection of attacker controlled information into logs.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75652NOTE:
 https://github.com/golang/go/commit/205d0865958a6d2342939f62dfeaf47508101976 (go1.25.2)NOTE:
 https://github.com/golang/go/commit/2e1e356e33b9c792a9643749a7626a1789197bb9 (go1.24.8) (CVE-2025-58189)

 encoding/pem: quadratic complexity when parsing some invalid inputs

 Due to the design of the PEM parsing function, the processing time for someinputs scales non-linearly with respect to the size of the input.

 This affects programs which parse untrusted PEM inputs.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75676NOTE:
 https://github.com/golang/go/commit/90f72bd5001d0278949fab0b7a40f7d8c712979b (go1.25.2)NOTE:
 https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2 (go1.24.8) (CVE-2025-61723)

 net/textproto: excessive CPU consumption in Reader.ReadResponse

 The Reader.ReadResponse function constructed a response string throughrepeated string concatenation of lines. When the number of lines in a response is large,this could cause excessive CPU consumption.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75716NOTE:
 https://github.com/golang/go/commit/5d7a787aa2b486f77537eeaed9c38c940a7182b8 (go1.25.2)NOTE:
 https://github.com/golang/go/commit/a402f4ad285514f5f3db90516d72047d591b307a (go1.24.8) (CVE-2025-61724)

 net/mail: excessive CPU consumption in ParseAddress

 The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.

 NOTE: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJNOTE:
 https://github.com/golang/go/issues/75680NOTE:
 https://github.com/golang/go/commit/6a057327cf9a405e6388593dd4aedc0d0da77092 (go1.25.2)NOTE:
 https://github.com/golang/go/commit/bc6981fd74024098185a23ba3a83a81ed68a06c9 (go1.24.8) (CVE-2025-61725)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update golang' or or 'yum update --advisory ALAS2-2025-3042' to update your system.

See Also

https://alas.aws.amazon.com//AL2/ALAS2-2025-3042.html

https://alas.aws.amazon.com/faqs.html

https://explore.alas.aws.amazon.com/CVE-2025-47912.html

https://explore.alas.aws.amazon.com/CVE-2025-58183.html

https://explore.alas.aws.amazon.com/CVE-2025-58185.html

https://explore.alas.aws.amazon.com/CVE-2025-58186.html

https://explore.alas.aws.amazon.com/CVE-2025-58187.html

https://explore.alas.aws.amazon.com/CVE-2025-58188.html

https://explore.alas.aws.amazon.com/CVE-2025-58189.html

https://explore.alas.aws.amazon.com/CVE-2025-61723.html

https://explore.alas.aws.amazon.com/CVE-2025-61724.html

https://explore.alas.aws.amazon.com/CVE-2025-61725.html

Plugin Details

Severity: High

ID: 271755

File Name: al2_ALAS-2025-3042.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/28/2025

Updated: 10/28/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2025-47912

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:golang-bin, p-cpe:/a:amazon:linux:golang-src, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:golang-tests, p-cpe:/a:amazon:linux:golang, p-cpe:/a:amazon:linux:golang-shared, p-cpe:/a:amazon:linux:golang-docs, p-cpe:/a:amazon:linux:golang-misc

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/27/2025

Vulnerability Publication Date: 10/23/2025

Reference Information

CVE: CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725

IAVB: 2025-B-0177