Bug 2407252 (CVE-2025-61723)

Summary: CVE-2025-61723 encoding/pem: Quadratic complexity when parsing some invalid inputs in encoding/pem
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, abrianik, adistefa, akostadi, akoudelk, alcohan, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, asatyam, bdettelb, bniver, bparees, brainfor, chfoley, ckandaga, cmah, crizzo, debarshir, dhanak, diagrawa, dmayorov, doconnor, drosa, dsimansk, dymurray, ebaron, eglynn, ehelms, fdeutsch, flucifre, ggainey, ggrzybek, gmeno, gparvin, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jcammara, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jowilson, jprabhak, jschluet, juwatts, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, lsharar, lsvaty, lucarval, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mnovotny, mrunge, mwringe, nboldt, ngough, nmoumoul, nyancey, ometelka, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pbraun, pcreech, peholase, pgaikwad, pgrist, pjindal, psrna, ptisnovs, pvasanth, rchan, rfreiman, rhaigner, rjohnson, rojacob, sabiswas, sakbas, sausingh, sdawley, sfeifer, shvarugh, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, swoodman, tasato, teagle, tfister, thason, thavo, tmalecek, tsedmik, vereddy, veshanka, vimartin, vkareh, wenshen, whayutin, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A potential denial of service flaw has been discovered in the golang encoding/pem module. Due to the design of the PEM parsing function, the processing time for some inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs and may result in an unresponsive program should an attacker exploit it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-11-03 10:46:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2408912, 2408913, 2408914, 2408920, 2408924, 2408928, 2408929, 2408930, 2408931, 2408932, 2408933, 2408934, 2408936, 2408937, 2408939, 2408940, 2408943, 2408949, 2408950, 2408951, 2408952, 2408954, 2408957, 2408958, 2408962, 2408964, 2408968, 2408971, 2408972, 2408973, 2408978, 2408980, 2408982, 2408983, 2408986, 2408988, 2408989, 2408993, 2408995, 2408996, 2408997, 2408998, 2408999, 2409001, 2409004, 2409005, 2409006, 2409007, 2409014, 2409017, 2409018, 2409019, 2409020, 2409022, 2409023, 2409306, 2409307, 2409309, 2409310, 2409312, 2409316, 2409317, 2409318, 2409319, 2409321, 2409322, 2409327, 2409328, 2409329, 2409330, 2409334, 2409335, 2409336, 2409337, 2409338, 2409339, 2409340, 2409341, 2409342, 2409345, 2409346, 2409347, 2409353, 2409354, 2409357, 2409358, 2409360, 2409362, 2409363, 2409364, 2409365, 2409368, 2409369, 2409370, 2409372, 2409373, 2409374, 2409375, 2409377, 2409378, 2409379, 2409380, 2409382, 2409383, 2409385, 2409386, 2409387, 2409388, 2409389, 2409390, 2409391, 2409392, 2409393, 2409394, 2409395, 2409396, 2409397, 2409399, 2409400, 2409401, 2409402, 2409403, 2409404, 2409405, 2409406, 2409407, 2409408, 2409409, 2409410, 2409411, 2409413, 2409414, 2409415, 2409416, 2409417, 2409418, 2409419, 2409420, 2409421, 2409422, 2409423, 2409425, 2409426, 2409427, 2409428, 2409429, 2409430, 2409431, 2409432, 2409433, 2409434, 2409435, 2409436, 2409437, 2409438, 2409440, 2409441, 2409442, 2409443, 2409444, 2409445, 2409449, 2409450, 2409451, 2409452, 2409453, 2409454, 2409455, 2409456, 2409457, 2409458, 2409459, 2409460, 2409461, 2409462, 2409463, 2409464, 2409465, 2409466, 2409467, 2409468, 2409469, 2409471, 2409473, 2409474, 2409475, 2409476, 2409477, 2409478, 2409479, 2409480, 2409481, 2409482, 2409483, 2409484, 2409485, 2409486, 2409487, 2409488, 2409489, 2409490, 2409491, 2409492, 2409493, 2409500, 2409502, 2409503, 2409504, 2409505, 2409506, 2409508, 2409510, 2409511, 2409512, 2409514, 2409515, 2409517, 2409521, 2409522, 2409523, 2409524, 2409525, 2409531, 2409532, 2409533, 2409534, 2409537, 2409540, 2409542, 2409543, 2409544, 2409545, 2409548, 2409550, 2409551, 2409556, 2409558, 2409559, 2409562, 2409565, 2409566, 2409568, 2409569, 2409570, 2409571, 2409572, 2409573, 2409575, 2409576, 2409577, 2409580, 2409583, 2409585, 2409586, 2409587, 2409589, 2409591, 2409592, 2409594, 2409598, 2409599, 2409600, 2409602, 2409607, 2409608, 2409609, 2409613, 2409614, 2409615, 2409616, 2409617, 2409618, 2409619, 2409620, 2409621, 2409622, 2409624, 2409625, 2409626, 2409631, 2409632, 2409635, 2409636, 2409638, 2409640, 2409641, 2409642, 2409645, 2409646, 2409647, 2409650, 2409651, 2409652, 2409653, 2409655, 2409656, 2409657, 2409658, 2409659, 2409661, 2409662, 2409663, 2409664, 2409665, 2409666, 2409667, 2409668, 2409669, 2409670, 2409671, 2409672, 2409674, 2409675, 2409676, 2409677, 2409678, 2409679, 2409680, 2409681, 2409682, 2409683, 2409684, 2409685, 2409686, 2409688, 2409689, 2409690, 2409691, 2409692, 2409693, 2409694, 2409695, 2409696, 2409698, 2409699, 2409700, 2409701, 2409702, 2409703, 2409704, 2409705, 2409706, 2409707, 2409709, 2409710, 2409711, 2409712, 2409713, 2409714, 2409718, 2409719, 2409720, 2409721, 2409722, 2409723, 2409724, 2409725, 2409726, 2409727, 2409728, 2409729, 2409730, 2409731, 2409733, 2409734, 2409736, 2409737, 2409740, 2409741, 2409742, 2409743, 2409744, 2409745, 2409746, 2409747, 2409748, 2409749, 2409750, 2409751, 2409752, 2409753, 2409754, 2409755, 2409756, 2409758, 2409759, 2409763, 2409765, 2409766, 2409767, 2409768, 2409770, 2409773, 2409774, 2409775, 2409777, 2409778, 2409779, 2409783, 2409784, 2409785, 2409786, 2409792, 2409793, 2409794, 2409797, 2409800, 2409803, 2409806, 2409809, 2409812, 2409814, 2409816, 2409821, 2409822, 2409824, 2409826, 2409827, 2409828, 2409829, 2409830, 2409832, 2409833, 2409834, 2409836, 2409839, 2409842, 2409844, 2409846, 2408909, 2408910, 2408911, 2408916, 2408918, 2408922, 2408926, 2408935, 2408938, 2408941, 2408942, 2408944, 2408945, 2408946, 2408947, 2408948, 2408953, 2408955, 2408956, 2408959, 2408960, 2408961, 2408963, 2408965, 2408966, 2408967, 2408969, 2408970, 2408974, 2408975, 2408976, 2408977, 2408979, 2408984, 2408985, 2408990, 2408991, 2408992, 2408994, 2409000, 2409002, 2409003, 2409008, 2409009, 2409010, 2409011, 2409012, 2409013, 2409015, 2409016, 2409021, 2409024, 2409025, 2409026, 2409027, 2409028, 2409029, 2409030, 2409031, 2409032, 2409033, 2409034, 2409035, 2409036, 2409037, 2409038, 2409039, 2409040, 2409041, 2409042, 2409043, 2409044, 2409045, 2409046, 2409047, 2409048, 2409049, 2409050, 2409051, 2409052, 2409053, 2409054, 2409055, 2409056, 2409057, 2409058, 2409059, 2409060, 2409061, 2409062, 2409063, 2409064, 2409065, 2409066, 2409067, 2409068, 2409069, 2409070, 2409071, 2409072, 2409073, 2409074, 2409075, 2409076, 2409077, 2409078, 2409079, 2409080, 2409081, 2409082, 2409083, 2409084, 2409085, 2409086, 2409087, 2409088, 2409089, 2409090, 2409091, 2409092, 2409093, 2409094, 2409095, 2409096, 2409097, 2409098, 2409099, 2409100, 2409101, 2409102, 2409103, 2409104, 2409105, 2409106, 2409107, 2409108, 2409109, 2409110, 2409111, 2409112, 2409113, 2409114, 2409115, 2409116, 2409118, 2409119, 2409120, 2409121, 2409122, 2409123, 2409124, 2409125, 2409126, 2409127, 2409128, 2409129, 2409130, 2409131, 2409132, 2409133, 2409134, 2409135, 2409136, 2409137, 2409138, 2409139, 2409140, 2409141, 2409142, 2409143, 2409144, 2409145, 2409146, 2409147, 2409148, 2409149, 2409150, 2409151, 2409152, 2409153, 2409154, 2409155, 2409156, 2409157, 2409158, 2409159, 2409160, 2409161, 2409162, 2409163, 2409164, 2409165, 2409166, 2409167, 2409168, 2409169, 2409170, 2409171, 2409172, 2409173, 2409174, 2409175, 2409176, 2409177, 2409178, 2409179, 2409180, 2409181, 2409182, 2409183, 2409184, 2409185, 2409186, 2409187, 2409188, 2409189, 2409190, 2409191, 2409192, 2409193, 2409194, 2409195, 2409196, 2409197, 2409198, 2409199, 2409200, 2409201, 2409202, 2409203, 2409204, 2409205, 2409206, 2409207, 2409208, 2409209, 2409210, 2409211, 2409212, 2409213, 2409214, 2409215, 2409216, 2409217, 2409218, 2409219, 2409220, 2409221, 2409222, 2409223, 2409224, 2409225, 2409226, 2409227, 2409228, 2409229, 2409230, 2409231, 2409232, 2409233, 2409234, 2409235, 2409236, 2409237, 2409238, 2409239, 2409240, 2409242, 2409243, 2409244, 2409245, 2409246, 2409247, 2409248, 2409249, 2409250, 2409251, 2409252, 2409253, 2409254, 2409255, 2409256, 2409257, 2409258, 2409262, 2409276, 2409277, 2409278, 2409279, 2409280, 2409281, 2409282, 2409283, 2409284, 2409285, 2409286, 2409287, 2409288, 2409289, 2409290, 2409291, 2409292, 2409293, 2409294, 2409295, 2409296, 2409297, 2409298, 2409299, 2409300, 2409301, 2409302, 2409303, 2409304, 2409305, 2409308, 2409311, 2409313, 2409314, 2409315, 2409320, 2409323, 2409324, 2409325, 2409326, 2409331, 2409332, 2409333, 2409344, 2409349, 2409350, 2409351, 2409352, 2409355, 2409356, 2409359, 2409361, 2409366, 2409367, 2409371, 2409376, 2409384, 2409398, 2409412, 2409424, 2409439, 2409446, 2409447, 2409448, 2409470, 2409472, 2409494, 2409495, 2409496, 2409497, 2409498, 2409499, 2409501, 2409507, 2409509, 2409513, 2409518, 2409519, 2409520, 2409526, 2409527, 2409528, 2409529, 2409530, 2409535, 2409536, 2409538, 2409539, 2409541, 2409546, 2409547, 2409549, 2409552, 2409553, 2409554, 2409555, 2409557, 2409560, 2409561, 2409563, 2409564, 2409567, 2409574, 2409578, 2409579, 2409581, 2409582, 2409584, 2409588, 2409590, 2409593, 2409595, 2409596, 2409597, 2409601, 2409603, 2409604, 2409605, 2409606, 2409610, 2409611, 2409612, 2409623, 2409627, 2409628, 2409629, 2409630, 2409633, 2409634, 2409637, 2409639, 2409643, 2409644, 2409648, 2409649, 2409654, 2409660, 2409673, 2409687, 2409697, 2409708, 2409715, 2409716, 2409717, 2409738, 2409739, 2409757, 2409760, 2409761, 2409762, 2409764, 2409769, 2409771, 2409772, 2409776, 2409780, 2409781, 2409782, 2409787, 2409788, 2409789, 2409790, 2409791, 2409795, 2409796, 2409798, 2409799, 2409801, 2409802, 2409804, 2409805, 2409807, 2409808, 2409810, 2409811, 2409813, 2409815, 2409817, 2409818, 2409819, 2409820, 2409823, 2409825, 2409831, 2409835, 2409837, 2409838, 2409840, 2409841, 2409843, 2409845, 2409847    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-29 23:01:53 UTC 
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
Comment 1 Vít Ondruch 2025-11-03 10:46:52 UTC 
Vagrant does not ship and Go bit => CLOSED NOTABUG
Comment 2 Vít Ondruch 2025-11-03 10:49:12 UTC 
(In reply to Vít Ondruch from comment #1)
> Vagrant does not ship and Go bit => CLOSED NOTABUG

Wrong component. Sorry. Reopening.

But since I am already here, this would never happened if Golang bits were not reported against Vagrant. I wish this was fixed.
Comment 3 Debarshi Ray 2025-11-05 22:58:18 UTC 
This is fixed in Go versions 1.25.2:
https://github.com/golang/go/commit/90f72bd5001d0278949fab0b7a40f7d8c712979b

... and 1.24.8:
https://github.com/golang/go/commit/74d4d836b91318a8764b94bc2b4b66ff599eb5f2