data/reports: add GO-2025-4155

  - data/reports/GO-2025-4155.yaml

Fixes #4155

Change-Id: Iea03d58cccc05eb2df016ef505c88d3d8783bd01
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/725980
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Neal Patel <[email protected]>
Auto-Submit: Nicholas Husin <[email protected]>
Reviewed-by: Nicholas Husin <[email protected]>

Author: nicholashusin

data/cve/v5/GO-2025-4155.json

@@ -0,0 +1,79 @@
+{
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.0",
+  "cveMetadata": {
+    "cveId": "CVE-2025-61729"
+  },
+  "containers": {
+    "cna": {
+      "providerMetadata": {
+        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc"
+      },
+      "title": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509",
+      "descriptions": [
+        {
+          "lang": "en",
+          "value": "Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption."
+        }
+      ],
+      "affected": [
+        {
+          "vendor": "Go standard library",
+          "product": "crypto/x509",
+          "collectionURL": "https://pkg.go.dev",
+          "packageName": "crypto/x509",
+          "versions": [
+            {
+              "version": "0",
+              "lessThan": "1.24.11",
+              "status": "affected",
+              "versionType": "semver"
+            },
+            {
+              "version": "1.25.0",
+              "lessThan": "1.25.5",
+              "status": "affected",
+              "versionType": "semver"
+            }
+          ],
+          "programRoutines": [
+            {
+              "name": "HostnameError.Error"
+            }
+          ],
+          "defaultStatus": "unaffected"
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "lang": "en",
+              "description": "CWE-400: Uncontrolled Resource Consumption"
+            }
+          ]
+        }
+      ],
+      "references": [
+        {
+          "url": "https://go.dev/cl/725920"
+        },
+        {
+          "url": "https://go.dev/issue/76445"
+        },
+        {
+          "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
+        },
+        {
+          "url": "https://pkg.go.dev/vuln/GO-2025-4155"
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "value": "Philippe Antoine (Catena cyber)"
+        }
+      ]
+    }
+  }
+}

data/osv/GO-2025-4155.json

@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-4155",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-61729",
+    "CVE-2025-61729"
+  ],
+  "summary": "Excessive resource consumption when printing error string for host certificate validation in crypto/x509",
+  "details": "Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.",
+  "affected": [
+    {
+      "package": {
+        "name": "stdlib",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.24.11"
+            },
+            {
+              "introduced": "1.25.0"
+            },
+            {
+              "fixed": "1.25.5"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "crypto/x509",
+            "symbols": [
+              "HostnameError.Error"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://go.dev/cl/725920"
+    },
+    {
+      "type": "REPORT",
+      "url": "https://go.dev/issue/76445"
+    },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/golang-announce/c/8FJoBkPddm4"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Philippe Antoine (Catena cyber)"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-4155",
+    "review_status": "REVIEWED"
+  }
+}

data/reports/GO-2025-4155.yaml

@@ -0,0 +1,36 @@
+id: GO-2025-4155
+modules:
+    - module: std
+      versions:
+        - fixed: 1.24.11
+        - introduced: 1.25.0
+        - fixed: 1.25.5
+      vulnerable_at: 1.25.4
+      packages:
+        - package: crypto/x509
+          symbols:
+            - HostnameError.Error
+summary: |-
+    Excessive resource consumption when printing error string for host certificate
+    validation in crypto/x509
+description: |-
+    Within HostnameError.Error(), when constructing an error string, there is no
+    limit to the number of hosts that will be printed out. Furthermore, the error
+    string is constructed by repeated string concatenation, leading to quadratic
+    runtime. Therefore, a certificate provided by a malicious actor can result in
+    excessive resource consumption.
+cves:
+    - CVE-2025-61729
+credits:
+    - Philippe Antoine (Catena cyber)
+references:
+    - fix: https://go.dev/cl/725920
+    - report: https://go.dev/issue/76445
+    - web: https://groups.google.com/g/golang-announce/c/8FJoBkPddm4
+cve_metadata:
+    id: CVE-2025-61729
+    cwe: 'CWE-400: Uncontrolled Resource Consumption'
+source:
+    id: go-security-team
+    created: 2025-12-02T12:24:17.281378783-05:00
+review_status: REVIEWED