Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/GHSA-J443-WCQQ-XPRH.md

Created March 11, 2026 04:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/beef884f648182154845d222b09c6d82 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/beef884f648182154845d222b09c6d82 to your computer and use it in GitHub Desktop.
Download ZIP
GHSA-J443-WCQQ-XPRH: CVE-2025-68121: TLS Session Resumption Trust Bypass in Go crypto/tls - CVE Security Report
Raw
GHSA-J443-WCQQ-XPRH.md

GHSA-J443-WCQQ-XPRH: CVE-2025-68121: TLS Session Resumption Trust Bypass in Go crypto/tls

CVSS Score: 10.0 Published: 2026-03-11 Full Report: https://cvereports.com/reports/GHSA-J443-WCQQ-XPRH

Summary

A critical vulnerability in the Go standard library's crypto/tls package allows attackers to bypass updated Certificate Authority (CA) trust stores during TLS session resumption. Applications that dynamically mutate TLS configurations, such as the Terraform Provider for SendGrid, may inadvertently accept connections from entities whose certificates have been explicitly revoked or removed from the active trust configuration.

TL;DR

Go's crypto/tls package fails to re-validate certificate chains against updated trust stores during TLS session resumption, allowing revoked certificates to maintain access if a valid session ticket was previously issued.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-295
  • Attack Vector: Network
  • CVSS v3.1 Score: 10.0
  • Exploit Status: Proof of Concept
  • CISA KEV: No
  • Privileges Required: None

Affected Systems

  • Go (Golang) Standard Library (crypto/tls)
  • Terraform Provider for SendGrid (github.com/arslanbekov/terraform-provider-sendgrid)
  • Any Go-based application utilizing dynamic tls.Config modifications
  • Go (crypto/tls): < 1.24.13 (Fixed in: 1.24.13)
  • Go (crypto/tls): >= 1.25.0, < 1.25.7 (Fixed in: 1.25.7)
  • terraform-provider-sendgrid: All versions built with vulnerable Go compilers (Fixed in: Requires recompilation)

Mitigation

  • Upgrade the Go toolchain to version 1.24.13 or 1.25.7+.
  • Recompile all downstream Go applications and Terraform providers with the patched compiler.
  • Disable TLS session resumption (SessionTicketsDisabled: true) in tls.Config if immediate recompilation is not viable.
  • Explicitly rotate session ticket keys via SetSessionTicketKeys whenever dynamic trust store configurations are updated.

Remediation Steps:

  1. Identify all Go binaries deployed in the environment, utilizing static analysis tools to determine the compiler version.
  2. Update the local development environments and CI/CD pipelines to utilize Go 1.24.13 or Go 1.25.7.
  3. Trigger rebuilds for all internal Go applications and dependencies, ensuring the newly compiled artifacts replace vulnerable deployments.
  4. Update third-party dependencies, such as terraform-provider-sendgrid, to their latest respective versions built against the patched Go runtime.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment