{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25199", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-03T19:30:53.400Z", "datePublished": "2025-02-12T17:49:58.397Z", "dateUpdated": "2025-02-12T19:50:24.955Z"}, "containers": {"cna": {"title": "BCryptGenerateSymmetricKey memory leak", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/microsoft/go-crypto-winnative/security/advisories/GHSA-29c6-3hcj-89cf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/microsoft/go-crypto-winnative/security/advisories/GHSA-29c6-3hcj-89cf"}, {"name": "https://github.com/microsoft/go-crypto-winnative/commit/f49c8e1379ea4b147d5bff1b3be5b0ff45792e41", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/go-crypto-winnative/commit/f49c8e1379ea4b147d5bff1b3be5b0ff45792e41"}], "affected": [{"vendor": "microsoft", "product": "go-crypto-winnative", "versions": [{"version": "< 1.23.6-2", "status": "affected"}, {"version": "< 1.22.12-2", "status": "affected"}, {"version": "< 0.0.0-20250211154640-f49c8e1379ea", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-12T17:49:58.397Z"}, "descriptions": [{"lang": "en", "value": "go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the `github.com/microsoft/go-crypto-winnative` Go package."}], "source": {"advisory": "GHSA-29c6-3hcj-89cf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-12T19:47:56.486853Z", "id": "CVE-2025-25199", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:50:24.955Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25199", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-12T19:47:56.486853Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:48:02.372Z"}}], "cna": {"title": "BCryptGenerateSymmetricKey memory leak", "source": {"advisory": "GHSA-29c6-3hcj-89cf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "microsoft", "product": "go-crypto-winnative", "versions": [{"status": "affected", "version": "< 1.23.6-2"}, {"status": "affected", "version": "< 1.22.12-2"}, {"status": "affected", "version": "< 0.0.0-20250211154640-f49c8e1379ea"}]}], "references": [{"url": "https://github.com/microsoft/go-crypto-winnative/security/advisories/GHSA-29c6-3hcj-89cf", "name": "https://github.com/microsoft/go-crypto-winnative/security/advisories/GHSA-29c6-3hcj-89cf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/microsoft/go-crypto-winnative/commit/f49c8e1379ea4b147d5bff1b3be5b0ff45792e41", "name": "https://github.com/microsoft/go-crypto-winnative/commit/f49c8e1379ea4b147d5bff1b3be5b0ff45792e41", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the `github.com/microsoft/go-crypto-winnative` Go package."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-12T17:49:58.397Z"}}}, "cveMetadata": {"cveId": "CVE-2025-25199", "state": "PUBLISHED", "dateUpdated": "2025-02-12T19:50:24.955Z", "dateReserved": "2025-02-03T19:30:53.400Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-12T17:49:58.397Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to `cng.TLS1PRF` don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the `github.com/microsoft/go-crypto-winnative` Go package."}, {"lang": "es", "value": "go-crypto-winnative Backend de criptograf\u00eda Go para Windows que utiliza Cryptography API: Next Generation (CNG). Antes del commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, las llamadas a `cng.TLS1PRF` no liberan el identificador de la clave, lo que produce una peque\u00f1a p\u00e9rdida de memoria. El commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contiene una soluci\u00f3n para el problema. La correcci\u00f3n est\u00e1 incluida en las versiones 1.23.6-2 y 1.22.12-2 de la compilaci\u00f3n de Microsoft de Go, as\u00ed como en la pseudoversi\u00f3n 0.0.0-20250211154640-f49c8e1379ea del paquete Go `github.com/microsoft/go-crypto-winnative`."}], "id": "CVE-2025-25199", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-12T18:15:27.933", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/microsoft/go-crypto-winnative/commit/f49c8e1379ea4b147d5bff1b3be5b0ff45792e41"}, {"source": "security-advisories@github.com", "url": "https://github.com/microsoft/go-crypto-winnative/security/advisories/GHSA-29c6-3hcj-89cf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}