Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Jan 29, 2026

Excessive CPU consumption when building archive index in archive/zip

CVE-2025-61728

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected products

Golang/GoOSV
Range: go1.10beta1, go1.10beta2, go1.10rc1, …
Archive Zip/Archive Zipllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

go.dev/cl/736713mitre
go.dev/issue/77102mitre
groups.google.com/g/golang-announce/c/Vd2tYVM8eUcmitre
pkg.go.dev/vuln/GO-2026-4342mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000