CVE-2025-68121: TLS Session Resumption Trust Bypass in Go crypto/tls
Vulnerability ID: GHSA-J443-WCQQ-XPRH
CVSS Score: 10.0
Published: 2026-03-11
A critical vulnerability in the Go standard library's crypto/tls package allows attackers to bypass updated Certificate Authority (CA) trust stores during TLS session resumption. Applications that dynamically mutate TLS configurations, such as the Terraform Provider for SendGrid, may inadvertently accept connections from entities whose certificates have been explicitly revoked or removed from the active trust configuration.
TL;DR
Go's crypto/tls package fails to re-validate certificate chains against updated trust stores during TLS session resumption, allowing revoked certificates to maintain access if a valid session ticket was previously issued.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-295
- Attack Vector: Network
- CVSS v3.1 Score: 10.0
- Exploit Status: Proof of Concept
- CISA KEV: No
- Privileges Required: None
Affected Systems
- Go (Golang) Standard Library (crypto/tls)
- Terraform Provider for SendGrid (github.com/arslanbekov/terraform-provider-sendgrid)
- Any Go-based application utilizing dynamic
tls.Configmodifications -
Go (crypto/tls): < 1.24.13 (Fixed in:
1.24.13) -
Go (crypto/tls): >= 1.25.0, < 1.25.7 (Fixed in:
1.25.7) -
terraform-provider-sendgrid: All versions built with vulnerable Go compilers (Fixed in:
Requires recompilation)
Code Analysis
Commit: 737700
Go Gerrit CL 737700 addressing certificate chain validation bypass during resumption.
Patch ensures that resumed sessions strictly re-evaluate the peer's certificate chain against the currently active RootCAs or ClientCAs collections.
Mitigation Strategies
- Upgrade the Go toolchain to version 1.24.13 or 1.25.7+.
- Recompile all downstream Go applications and Terraform providers with the patched compiler.
- Disable TLS session resumption (
SessionTicketsDisabled: true) intls.Configif immediate recompilation is not viable. - Explicitly rotate session ticket keys via
SetSessionTicketKeyswhenever dynamic trust store configurations are updated.
Remediation Steps:
- Identify all Go binaries deployed in the environment, utilizing static analysis tools to determine the compiler version.
- Update the local development environments and CI/CD pipelines to utilize Go 1.24.13 or Go 1.25.7.
- Trigger rebuilds for all internal Go applications and dependencies, ensuring the newly compiled artifacts replace vulnerable deployments.
- Update third-party dependencies, such as
terraform-provider-sendgrid, to their latest respective versions built against the patched Go runtime.
References
- Go Advisory GO-2026-4337
- Go Issue #77217: certificate chains aren't re-checked on resumption
- Go Gerrit CL 737700 (Patch)
- GitHub Advisory GHSA-j443-wcqq-xprh
- Snyk Package Advisory: terraform-provider-sendgrid
Read the full report for GHSA-J443-WCQQ-XPRH on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)