What is CVE-2025-68121?

CVE-2025-68121 is a critical-severity vulnerability in Golang Go, classified under Improper Certificate Validation. CVSS score: 10.0/10. Published 2026-02-05.

How severe is CVE-2025-68121?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Vulnerability in Golang Go

CVE-2025-68121

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may h…

Vulnerability class: Improper Certificate Validation

EPSS: 0.000 (4.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Golang Go — versions 1.26.0
Go Standard Library Crypto/tls — versions 0, 1.25.0-0, 1.26.0-rc.1

Weakness classification (CWE)

CWE-295 — Improper Certificate Validation

References

security@golang.org (Mailing List, Third Party Advisory)
security@golang.org (Patch)
security@golang.org (Exploit, Issue Tracking)
security@golang.org (Vendor Advisory)

Frequently asked questions

What is CVE-2025-68121?: CVE-2025-68121 is a critical-severity vulnerability in Golang Go, classified under Improper Certificate Validation. CVSS score: 10.0/10. Published 2026-02-05.
How severe is CVE-2025-68121?: Critical severity. CVSS v3 base score is 10.0 out of 10.