ALPN negotiation error contains attacker controlled information in crypto/tls

GO-2025-4008 · BIT-golang-2025-58189 · CVE-2025-58189

Published Oct 29, 2025 · Modified May 15, 2026

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

References

FIX https://go.dev/cl/707776
REPORT https://go.dev/issue/75652
WEB https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes