Handshake messages may be processed at the incorrect encryption level...

6.2 / 10

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Basic Information

ID CVE-2025-61730

Source Go

Published Jan 28, 2026 at 19:30

Modified Jan 29, 2026 at 18:33

Affected Product

Vendor Go standard library

Product crypto/tls

Affected Versions Go standard library crypto/tls 0
Go standard library crypto/tls 1.25.0

References

{
    "lastseen": "",
    "description": "During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.",
    "published": "2026-01-28T19:30:30.986Z",
    "modified": "2026-01-29T18:33:18.399Z",
    "type": "cve",
    "title": "Handshake messages may be processed at the incorrect encryption level in crypto/tls",
    "source": "Go",
    "references": "https://go.dev/cl/724120\nhttps://go.dev/issue/76443\nhttps://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc\nhttps://pkg.go.dev/vuln/GO-2026-4340",
    "id": "CVE-2025-61730",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Go standard library crypto/tls 0\nGo standard library crypto/tls 1.25.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.2,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "crypto/tls",
    "version": "0",
    "vendor": "Go standard library",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Handshake messages may be processed at the incorrect encryption level in crypto/tls_CVE-2025-61730

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply