CVE-2025-61725
Description
The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go's net/mail ParseAddress function has quadratic CPU consumption when parsing large domain literals, leading to denial of service.
Vulnerability: Excessive CPU consumption in net/mail.ParseAddress
CVE-2025-61725 is a denial-of-service vulnerability in Go's standard library, specifically in the net/mail.ParseAddress function. The root cause is the use of repeated string concatenation to construct domain-literal address components, which leads to quadratic time complexity (O(n²)) when processing large inputs [1][2][4].
Exploitation
An attacker can trigger this vulnerability by sending a specially crafted email address with a very large domain-literal component to a program that calls ParseAddress. No authentication is required, as the input is untrusted data. The excessive CPU consumption can exhaust server resources, effectively causing a denial-of-service condition [2][3].
Impact
Successful exploitation results in high CPU usage, potentially leading to service unavailability. This is particularly impactful for applications that parse email addresses from untrusted sources, such as mail servers or web forms [1][2][3].
Mitigation
The vulnerability is fixed in Go versions 1.25.2 and 1.24.8. Users should upgrade immediately. No workarounds are available; applications that cannot upgrade should avoid calling ParseAddress with untrusted input [1][2][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.