How to fix CVE-2025-68121?

Within 24 hours: Identify all systems running affected Go versions (pre-1.23.5, pre-1.24.1, or pre-1.25.1) and assess exposure in production environments. Within 7 days: Apply vendor patches to all affected systems and conduct restart/deployment validation. Within 30 days: Audit session resumption configurations, review access logs for suspicious session activity, and validate patch deployment across the entire infrastructure.

Is Golang affected by CVE-2025-68121?

A critical vulnerability in TLS session resumption allows attackers to bypass certificate validation controls if certificate authorities are modified during active sessions, potentially enabling unauthorized access to applications.

CVE-2025-68121

CRITICAL

2026-02-05 [email protected]

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 20, 2026 - 17:25 vuln.today

Public exploit code

Patch Released

Feb 20, 2026 - 17:25 nvd

Patch available

CVE Published

Feb 05, 2026 - 18:16 nvd

CRITICAL 10.0

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Analysis

Critical certificate validation bypass in Go crypto/tls during session resumption. If ClientCAs or RootCAs fields are mutated between creating the config and resuming a session, the TLS stack uses the modified trust store, potentially accepting certificates from unintended CAs. CVSS 10.0, PoC available, patch available.

Technical Context

CWE-295 in Go crypto/tls. When a TLS Config's ClientCAs or RootCAs fields are mutated after initial creation but before session resumption, the resumed session uses the mutated trust store rather than the original, bypassing intended certificate validation.

Affected Products

['Go crypto/tls (all versions with this bug)']

Remediation

Apply Go patch. Never mutate Config.ClientCAs/RootCAs after creation — create new Config objects instead. PoC available for testing.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +50

POC: +20

Vendor Status

CVE-2025-68121 vulnerability details – vuln.today

Back

CVE-2025-68121

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-68121

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code