CVE-2025-68121 – Critical crypto/tls vulnerability in Go stdlib v1.25.4 (CVSS 10.0)

[MrFix93]

The current OpenTelemetry Collector release artifacts appear to be built against Go stdlib v1.25.4, which is affected by CVE-2025-68121 (CVSS 10.0 – CRITICAL).

This vulnerability impacts crypto/tls during session resumption and may allow a resumed TLS handshake to succeed when it should fail, if ClientCAs or RootCAs are mutated between the initial and resumed handshake.

See the details provided by our Trivy scanner:

{
          "VulnerabilityID": "CVE-2025-68121",
          "PkgID": "stdlib@v1.25.4",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/stdlib@v1.25.4",
            "UID": "cac190028f7c30e8"
          },
          "InstalledVersion": "v1.25.4",
          "FixedVersion": "1.24.13, 1.25.7, 1.26.0-rc.3",
          "Status": "fixed",
          "Layer": {
            "DiffID": "sha256:92685b7f1f7253fa098a7226c82eaedb3a30cd69969545e02c536da574a73969"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-68121",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Fingerprint": "sha256:9b2b24b2a998b692b5e52da69d0554da2129afe6b145bd076b0035291a4966c7",
          "Title": "During session resumption in crypto/tls, if the underlying Config has  ...",
          "Description": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-295"
          ],
          "VendorSeverity": {
            "amazon": 3,
            "bitnami": 4,
            "nvd": 4
          },
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "V3Score": 10
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "V3Score": 10
            }
          },
          "References": [
            "https://go.dev/cl/737700",
            "https://go.dev/issue/77217",
            "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk",
            "https://nvd.nist.gov/vuln/detail/CVE-2025-68121",
            "https://pkg.go.dev/vuln/GO-2026-4337"
          ],
          "PublishedDate": "2026-02-05T18:16:10.857Z",
          "LastModifiedDate": "2026-02-10T16:08:03.303Z"
        }

Could you please confirm whether the current release is indeed built with Go 1.25.4, and if so, whether an upgrade to a patched Go version (≥ 1.25.7) is planned?

Given the critical severity (CVSS 10.0), it would be helpful to understand if this will be addressed in an upcoming release.

[dosubot]

Hi @MrFix93! I'm Dosu and I’m helping the opentelemetry-collector-releases team.

Based on the build configuration and Dockerfiles, the current OpenTelemetry Collector release artifacts are built with Go 1.24, not 1.25.4 or a patched version like 1.25.7. This means the CVE-2025-68121 mitigation from Go 1.25.7/1.26 is not present under the current configuration, and there is no explicit mention of plans to upgrade to a patched Go version in the repository or release tooling. If you need to mitigate CVE-2025-68121, upgrading the build environment to Go 1.25.7 or later is recommended for future releases. Source

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[MrFix93]

I agree @dosu, upgrading the build environment is recommended. I'm wandering whether this will be something that the maintainers are concerned with since this CVE is rated as CRITICAL.

[dosubot]

Yes, maintainers are generally very concerned with critical vulnerabilities like CVE-2025-68121. The OpenTelemetry Collector project has a documented policy to prioritize security fixes, and critical CVEs are often enough to trigger a new release. The Fix Team (maintainers) is responsible for creating fixes, releasing updated versions, and notifying users, with the timeline depending on severity and release cadence. There’s also a SIG Security group focused on best practices and security awareness across the project. Past issues show maintainers have responded to critical Go CVEs by upgrading the build environment, and there’s a weekly dependency upgrade policy, though blockers like Go compatibility can delay action. For more details, see the official security response documentation and relevant maintainer discussions.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[mowies]

@MrFix93 thanks for raising this. I checked the latest collector release (0.145.0) and that is already built with Go 1.25.7 so I don't think we are affected by this CVE. Can you confirm that you checked that version?

[MrFix93]

As far as my knowledge reaches, the version in go.mod is the version that is used to build the release, which is 1.23. But I could be wrong here. It does explain why my trivy scanner gives me this signal.

[mowies]

The go directive in the go.mod file only indicates the minimum version that needs to be used for building. (source).

You can use go version <binary-file> to see, which specific Go version was used to build the binary. That's what I did to check the collector binaries, and it returns Go 1.25.7.

I also doubled checked our release pipeline runs to see which Go version is getting installed there, and it's also Go 1.25.7. (link to release pipeline job).