Description
Advisory CVE-2025-25199 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/microsoft/go-crypto-winnative |
Description:
go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to cng.TLS1PRF don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the github.com/microsoft/go-crypto-winnative Go package.
References:
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-25199
- FIX: microsoft/go-crypto-winnative@f49c8e1
- WEB: GHSA-29c6-3hcj-89cf
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/microsoft/go-crypto-winnative
vulnerable_at: 0.0.0-20250211154640-f49c8e1379ea
summary: CVE-2025-25199 in github.com/microsoft/go-crypto-winnative
cves:
- CVE-2025-25199
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-25199
- fix: https://github.com/microsoft/go-crypto-winnative/commit/f49c8e1379ea4b147d5bff1b3be5b0ff45792e41
- web: https://github.com/microsoft/go-crypto-winnative/security/advisories/GHSA-29c6-3hcj-89cf
source:
id: CVE-2025-25199
created: 2025-02-12T19:01:32.614047384Z
review_status: UNREVIEWED