CVE-2025-61723 is a vulnerability classified under CWE-407 (Inefficient Algorithmic Complexity) found in the Go programming language's standard library, specifically in the encoding/pem package. The issue arises because the parsing algorithm for PEM-encoded data exhibits non-linear processing time growth when handling certain malformed or invalid inputs. This means that as the size of the crafted input increases, the time required to parse it grows disproportionately, potentially leading to significant CPU resource consumption. This vulnerability primarily impacts applications that parse PEM data from untrusted sources, such as certificate management tools, TLS libraries, or any service that processes PEM-encoded keys or certificates. Since PEM is a common format for cryptographic materials, this vulnerability can be exploited to cause denial-of-service (DoS) by sending specially crafted large invalid PEM inputs, resulting in application slowdown or crash due to resource exhaustion. The vulnerability affects all Go versions up to and including 1.25.0. No patches or fixes have been published at the time of disclosure, and no known exploits have been reported in the wild. The vulnerability does not require authentication or user interaction, making it easier for remote attackers to exploit if the affected application parses untrusted PEM data directly. The lack of a CVSS score necessitates an assessment based on impact and exploitability factors.

For European organizations, this vulnerability poses a significant risk of denial-of-service attacks against services and applications that utilize the Go standard library for PEM parsing. This includes web servers, certificate management systems, and security appliances that handle cryptographic keys or certificates in PEM format. A successful exploitation could lead to service outages, degraded performance, or increased operational costs due to resource exhaustion. Critical infrastructure sectors such as finance, telecommunications, and government services that rely on Go-based software could face disruptions. Additionally, organizations involved in software development or cloud services using Go may experience increased exposure if their applications accept untrusted PEM inputs. The absence of known exploits reduces immediate risk, but the potential for automated attacks exists once exploit code becomes available. The impact on confidentiality and integrity is minimal, but availability is significantly affected.

To mitigate this vulnerability, European organizations should prioritize updating the Go standard library to a patched version once it is released. Until a patch is available, developers should implement strict input validation to reject malformed or suspicious PEM data before parsing. Rate limiting and resource usage monitoring on services that parse PEM inputs can help detect and prevent abuse. Employing application-layer firewalls or Web Application Firewalls (WAFs) to filter or block suspicious PEM payloads is recommended. Developers should audit their codebases to identify all instances where PEM parsing occurs and ensure that untrusted inputs are handled cautiously. Additionally, sandboxing or isolating processes that perform PEM parsing can limit the impact of potential DoS attacks. Monitoring logs for unusual spikes in CPU or memory usage related to PEM parsing can provide early warning signs of exploitation attempts.