Skip to content

archive/zip: denial of service when parsing arbitrary ZIP archives (CVE-2025-61728) #77102

New issue
New issue
Closed
Closed
archive/zip: denial of service when parsing arbitrary ZIP archives (CVE-2025-61728)#77102
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blockervulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
Go1.26
@neild

Description

@neild
neild
opened on Jan 7, 2026

archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Thanks to Thanks to Jakub Ciolek for reporting this issue.

This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.

This is a PRIVATE issue for CVE-2025-61728, tracked in http://b/445533267 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3060.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blockervulncheck or vulndbIssues for the x/vuln or x/vulndb repo

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions