CVE-2025-61728

{"id": "CVE-2025-61728", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-61728", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T18:29:58.068724Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "affected": [{"source": "security@golang.org", "affectedData": [{"vendor": "Go standard library", "product": "archive/zip", "versions": [{"status": "affected", "version": "0", "lessThan": "1.24.12", "versionType": "semver"}, {"status": "affected", "version": "1.25.0", "lessThan": "1.25.6", "versionType": "semver"}], "packageName": "archive/zip", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "Reader.initFileList"}, {"name": "Reader.Open"}]}]}], "published": "2026-01-28T20:16:09.830", "references": [{"url": "https://go.dev/cl/736713", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/77102", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc", "tags": ["Release Notes"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4342", "tags": ["Vendor Advisory"], "source": "security@golang.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/15/4", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive."}, {"lang": "es", "value": "archive/zip usa un algoritmo de indexaci\u00f3n de nombres de archivo superlineal que se invoca la primera vez que se abre un archivo en un archivo comprimido. Esto puede provocar una denegaci\u00f3n de servicio al consumir un archivo ZIP construido maliciosamente."}], "lastModified": "2026-06-17T09:50:48.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21FD9368-8AB3-404B-8599-BBF64EFE3C7B", "versionEndExcluding": "1.24.12"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A547E844-78D2-4B17-B7A9-73E7B503D2CE", "versionEndExcluding": "1.25.6", "versionStartIncluding": "1.25.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}