Session Resumption Vulnerability in Go's Crypto/TLS Library by Google
CVE-2025-68121

4.8MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Crypto/tls
Vendor: CVE Published:; 5 February 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2025-68121?

This vulnerability occurs during the process of session resumption in Go's Crypto/TLS library. If the ClientCAs or RootCAs fields of the configuration are altered between the initial and resumed handshake, it may lead to successful resumed handshakes under circumstances where they should have failed. This situation can be triggered through improper use of the Config.Clone method or the Config.GetConfigForClient function. As a result, a client may reconnect with a server it should not have, or a server may accept a session resumption request from a client that would have been denied during the original handshake.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

crypto/tls 0 < 1.24.13

crypto/tls 1.25.0-0 < 1.25.7

crypto/tls 1.26.0-rc.1 < 1.26.0-rc.3

References

https://groups.google.com/g/golang-announce/c/K09ubi9FQFk

https://go.dev/cl/737700

https://go.dev/issue/77217

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 5, 2026
Vulnerability Reserved
Dec 15, 2025

Credit

Coia Prant (github.com/rbqvq)

Go Security Team

JSON

Go Standard Library