CVE-2025-61730 Handshake messages may be processed at the incorrect encryption level in crypto/tls

🗓️ 28 Jan 2026 19:30:30Reported by GoType

TLS 1.3 handshake may process messages before the encryption level changes, risking minor disclosure from injected messages.

Reporter	Title	Published	Views	Family All 778
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data	18 May 202613:36	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to denial of service (CVE-2025-61726, CVE-2025-61728) and loss of confidentiality (CVE-2025-61730)	2 Mar 202614:09	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an information disclosure in Golang Go - crypto/tls (CVE-2025-61730)	14 Apr 202617:12	–	ibm
ATTACKERKB	CVE-2025-61730	28 Jan 202619:30	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : amazon-ecr-credential-helper (ALAS2023-2026-1370)	5 Feb 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : cni-plugins (ALAS2023-2026-1373)	5 Feb 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2026-1374)	5 Feb 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : docker (ALAS2023-2026-1376)	19 Feb 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2026-1381)	5 Feb 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : golist (ALAS2023-2026-1382)	5 Feb 202600:00	–	nessus

[
  {
    "vendor": "Go standard library",
    "product": "crypto/tls",
    "collectionURL": "https://pkg.go.dev",
    "packageName": "crypto/tls",
    "versions": [
      {
        "version": "0",
        "lessThan": "1.24.12",
        "status": "affected",
        "versionType": "semver"
      },
      {
        "version": "1.25.0",
        "lessThan": "1.25.6",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "programRoutines": [
      {
        "name": "Conn.handleKeyUpdate"
      },
      {
        "name": "Conn.handshakeContext"
      },
      {
        "name": "clientHandshakeStateTLS13.establishHandshakeKeys"
      },
      {
        "name": "clientHandshakeStateTLS13.readServerFinished"
      },
      {
        "name": "clientHandshakeStateTLS13.sendClientFinished"
      },
      {
        "name": "serverHandshakeStateTLS13.checkForResumption"
      },
      {
        "name": "serverHandshakeStateTLS13.doHelloRetryRequest"
      },
      {
        "name": "serverHandshakeStateTLS13.sendServerParameters"
      },
      {
        "name": "serverHandshakeStateTLS13.sendServerFinished"
      },
      {
        "name": "serverHandshakeStateTLS13.readClientFinished"
      },
      {
        "name": "Conn.quicSetReadSecret"
      },
      {
        "name": "Conn.Handshake"
      },
      {
        "name": "Conn.HandshakeContext"
      },
      {
        "name": "Conn.Read"
      },
      {
        "name": "Conn.Write"
      },
      {
        "name": "Dial"
      },
      {
        "name": "DialWithDialer"
      },
      {
        "name": "Dialer.Dial"
      },
      {
        "name": "Dialer.DialContext"
      },
      {
        "name": "QUICConn.HandleData"
      },
      {
        "name": "QUICConn.Start"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
pkg	www.pkg.go.dev/vuln/GO-2026-4340
go	www.go.dev/cl/724120
go	www.go.dev/issue/76443
groups	www.groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

28 Jan 2026 19:30Current

EPSS0.00006