CVE-2025-61728
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-28

Last updated on: 2026-02-06

Assigner: Go Project

Description
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61728
EUVD
EUVD-2025-206432
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
golang go to 1.24.12 (exc)
golang go From 1.25.0 (inc) to 1.25.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the archive/zip package, which uses a super-linear file name indexing algorithm triggered the first time a file in a ZIP archive is opened. A specially crafted malicious ZIP archive can exploit this to cause a denial of service.

Impact Analysis

The vulnerability can lead to a denial of service condition when processing a maliciously constructed ZIP archive, potentially causing the application or system using archive/zip to become unresponsive or crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart