CVE-2025-61725 identifies an inefficient algorithmic complexity vulnerability (CWE-407) in the Go programming language's standard library, specifically within the net/mail package's ParseAddress function. The vulnerability stems from the way domain-literal address components are constructed using repeated string concatenation. When the function parses large domain-literal components, this approach leads to excessive CPU consumption due to the quadratic time complexity of string concatenation in Go. An attacker can exploit this by crafting specially formed email addresses with large domain literals, causing the parsing function to consume disproportionate CPU resources, effectively leading to a denial of service (DoS) condition. This vulnerability affects all Go versions up to and including 1.25.0. There are currently no known exploits in the wild, and no official patches have been released yet. The vulnerability does not require authentication or user interaction, increasing its risk profile. The impact is primarily on availability, as excessive CPU usage can degrade or crash services relying on the net/mail package for email address parsing. This is particularly relevant for mail servers, email processing pipelines, or any Go-based applications handling untrusted email inputs. The lack of a CVSS score necessitates an assessment based on the nature of the vulnerability, its ease of exploitation, and potential impact.

For European organizations, the primary impact of CVE-2025-61725 is the risk of denial of service through resource exhaustion. Organizations that use Go-based applications for email parsing, mail servers, or other communication services may experience service outages or degraded performance if targeted with maliciously crafted email addresses containing large domain literals. This can disrupt business operations, especially in sectors relying heavily on email communications such as finance, healthcare, government, and critical infrastructure. Additionally, organizations providing SaaS or cloud services using Go may face customer impact and reputational damage. The vulnerability could be leveraged as part of a broader attack chain to cause operational disruption. Since no authentication or user interaction is needed, automated attacks could be launched at scale. The absence of known exploits currently limits immediate risk, but the potential for future exploitation remains significant. The impact on confidentiality and integrity is minimal, focusing mainly on availability.

To mitigate CVE-2025-61725, European organizations should: 1) Monitor official Go project channels for patches addressing this vulnerability and apply updates promptly once available. 2) In the interim, implement input validation or size limits on email addresses and domain literals before parsing to prevent processing excessively large inputs. 3) Consider using alternative parsing libraries or custom parsing logic that avoids inefficient string concatenation for domain literals. 4) Employ runtime resource monitoring and limits (e.g., CPU quotas, process isolation) on services handling email parsing to detect and contain abnormal CPU usage. 5) Conduct code audits to identify and refactor any usage of net/mail.ParseAddress in critical applications, ensuring that untrusted inputs are sanitized. 6) Deploy Web Application Firewalls (WAFs) or network-level filters to block suspicious email traffic patterns that may exploit this vulnerability. 7) Educate developers and security teams about this vulnerability to raise awareness and encourage secure coding practices regarding input handling.