go, branch go1.25.6

[release-branch.go1.25] go1.25.6

2026-01-15T18:28:34Z

Change-Id: Ib93e4136188fce36867537b30977a03885b8b14f Reviewed-on: https://go-review.googlesource.com/c/go/+/736761 Reviewed-by: Michael Pratt Auto-Submit: Gopher Robot Reviewed-by: Junyang Shao TryBot-Bypass: Gopher Robot

[release-branch.go1.25] archive/zip: reduce CPU usage in index construction

2026-01-15T18:15:01Z

Constructing the zip index (which is done once when first opening a file in an archive) can consume large amounts of CPU when processing deeply-nested directory paths. Switch to a less inefficient algorithm. Thanks to Jakub Ciolek for reporting this issue. goos: darwin goarch: arm64 pkg: archive/zip cpu: Apple M4 Pro │ /tmp/bench.0 │ /tmp/bench.1 │ │ sec/op │ sec/op vs base │ ReaderOneDeepDir-14 25983.62m ± 2% 46.01m ± 2% -99.82% (p=0.000 n=8) ReaderManyDeepDirs-14 16.221 ± 1% 2.763 ± 6% -82.96% (p=0.000 n=8) ReaderManyShallowFiles-14 130.3m ± 1% 128.8m ± 2% -1.20% (p=0.003 n=8) geomean 3.801 253.9m -93.32% Fixes #77102 Fixes CVE-2025-61728 Change-Id: I2c9c864be01b2a2769eb67fbab1b250aeb8f6c42 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3060 Reviewed-by: Nicholas Husin Reviewed-by: Neal Patel Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3327 Reviewed-by: Damien Neil Reviewed-on: https://go-review.googlesource.com/c/go/+/736724 TryBot-Bypass: Michael Pratt Reviewed-by: Junyang Shao Auto-Submit: Michael Pratt

[release-branch.go1.25] net/url: add urlmaxqueryparams GODEBUG to limit the number of query parameters

2026-01-15T18:14:57Z

net/url does not currently limit the number of query parameters parsed by url.ParseQuery or URL.Query. When parsing a application/x-www-form-urlencoded form, net/http.Request.ParseForm will parse up to 10 MB of query parameters. An input consisting of a large number of small, unique parameters can cause excessive memory consumption. We now limit the number of query parameters parsed to 10000 by default. The limit can be adjusted by setting GODEBUG=urlmaxqueryparams=. Setting urlmaxqueryparams to 0 disables the limit. Thanks to jub0bs for reporting this issue. Fixes #77101 Fixes CVE-2025-61726 Change-Id: Iee3374c7ee2d8586dbf158536d3ade424203ff66 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3020 Reviewed-by: Nicholas Husin Reviewed-by: Neal Patel Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3325 Reviewed-by: Roland Shoemaker Reviewed-on: https://go-review.googlesource.com/c/go/+/736723 Reviewed-by: Junyang Shao TryBot-Bypass: Michael Pratt Auto-Submit: Michael Pratt

[release-branch.go1.25] cmd/go/internal/work: sanitize flags before invoking 'pkg-config'

2026-01-15T18:14:54Z

The addition of CgoPkgConfig allowed execution with flags not matching the safelist. In order to prevent potential arbitrary code execution at build time, ensure that flags are validated prior to invoking the 'pkg-config' binary. Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc. for reporting this issue. Fixes CVE-2025-61731 Fixes #77100 Change-Id: Ic51b41f1f7e697ab98c9c32c6fae35f217f7f364 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3240 Reviewed-by: Nicholas Husin Reviewed-by: Damien Neil Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3343 Reviewed-by: Neal Patel Reviewed-on: https://go-review.googlesource.com/c/go/+/736722 TryBot-Bypass: Michael Pratt Auto-Submit: Michael Pratt Reviewed-by: Junyang Shao

[release-branch.go1.25] cmd/go: update VCS commands to use safer flag/argument syntax

2026-01-15T18:14:51Z

In various situations, the toolchain invokes VCS commands. Some of these commands take arbitrary input, either provided by users or fetched from external sources. To prevent potential command injection vulnerabilities or misinterpretation of arguments as flags, this change updates the VCS commands to use various techniques to separate flags from positional arguments, and to directly associate flags with their values. Additionally, we update the environment variable for Mercurial to use `HGPLAIN=+strictflags`, which is the more explicit way to disable user configurations (intended or otherwise) that might interfere with command execution. We also now disallow version strings from being prefixed with '-' or '/', as doing so opens us up to making the same mistake again in the future. As far as we know there are currently ~0 public modules affected by this. While I was working on cmd/go/internal/vcs, I also noticed that a significant portion of the commands being implemented were dead code. In order to reduce the maintenance burden and surface area for potential issues, I removed the dead code for unused commands. We should probably follow up with a more structured change to make it harder to accidentally re-introduce these issues in the future, but for now this addresses the issue at hand. Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this issue. Fixes CVE-2025-68119 Fixes #77099 Change-Id: I9d9f4ee05b95be49fe14edf71a1b8e6c0784378e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3260 Reviewed-by: Damien Neil Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3342 Reviewed-by: Michael Matloob Reviewed-on: https://go-review.googlesource.com/c/go/+/736721 Reviewed-by: Junyang Shao Auto-Submit: Michael Pratt TryBot-Bypass: Michael Pratt

[release-branch.go1.25] crypto/tls: don't copy auto-rotated session ticket keys in Config.Clone

2026-01-15T18:14:47Z

Once a tls.Config is used, it is not safe to mutate. We provide the Clone method in order to allow users to copy and modify a Config that is in use. If Config.SessionTicketKey is not populated, and if Config.SetSessionTicketKeys has not been called, we automatically populate and rotate session ticket keys. Clone was previously copying these keys into the new Config, meaning that two Configs could share the same auto-rotated session ticket keys. This could allow sessions to be resumed across different Configs, which may have completely different configurations. This change updates Clone to not copy the auto-rotated session ticket keys. Additionally, when resuming a session, check that not just that the leaf certificate is unexpired, but that the entire certificate chain is still unexpired. Fixes #77113 Fixes CVE-2025-68121 Change-Id: I011df7329de83068d11b3f0c793763692d018a98 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3300 Reviewed-by: Damien Neil Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3321 Reviewed-on: https://go-review.googlesource.com/c/go/+/736720 Auto-Submit: Michael Pratt TryBot-Bypass: Michael Pratt Reviewed-by: Junyang Shao

[release-branch.go1.25] crypto/tls: reject trailing messages after client/server hello

2026-01-07T21:28:52Z

For TLS 1.3, after procesesing the server/client hello, if there isn't a CCS message, reject the trailing messages which were appended to the hello messages. This prevents an on-path attacker from injecting plaintext messages into the handshake. Additionally, check that we don't have any buffered messages before we switch the read traffic secret regardless, since any buffered messages would have been under an old key which is no longer appropriate. We also invert the ordering of setting the read/write secrets so that if we fail when changing the read secret we send the alert using the correct write secret. Updates #76443 Fixes #76855 Fixes CVE-2025-61730 Change-Id: If6ba8ad16f48d5cd5db5574824062ad4244a5b52 Reviewed-on: https://go-review.googlesource.com/c/go/+/724120 LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Knyszek Reviewed-by: Daniel McCarney Reviewed-by: Coia Prant (cherry picked from commit 5046bdf8a612b35a2c1a9e168054c1d5c65e7dd7) Reviewed-on: https://go-review.googlesource.com/c/go/+/731960 Reviewed-by: Damien Neil

[release-branch.go1.25] Revert "errors: optimize errors.Join for single unwrappable errors"

2026-01-07T18:12:19Z

This reverts CL 635115. Reason for revert: The new behavior does not match the function documentation. For #76961 Fixes #76973 Change-Id: If2450aa4efba28c7a12887a5b306c231a836e740 Reviewed-on: https://go-review.googlesource.com/c/go/+/731981 Reviewed-by: Dmitri Shuralyov Reviewed-by: Dmitri Shuralyov Auto-Submit: Damien Neil LUCI-TryBot-Result: Go LUCI (cherry picked from commit 1b3db48db7afc3fe17440af28cdeac67a0d048f1) Reviewed-on: https://go-review.googlesource.com/c/go/+/734520 Reviewed-by: Junyang Shao

[release-branch.go1.25] cmd/compile: handle propagating an out-of-range jump table index

2026-01-07T17:25:08Z

For an out-of-range jump table index, the constant facts should not be propagated to the destinations. Fixes #76967 Change-Id: Iff29814cb466c7aaa432cec212e5387665c45afc Reviewed-on: https://go-review.googlesource.com/c/go/+/731860 Auto-Submit: Cuong Manh Le Reviewed-by: David Chase Reviewed-by: Cherry Mui LUCI-TryBot-Result: Go LUCI Reviewed-on: https://go-review.googlesource.com/c/go/+/732460 Reviewed-by: Junyang Shao Commit-Queue: Junyang Shao Auto-Submit: Junyang Shao Reviewed-by: Michael Knyszek

[release-branch.go1.25] runtime: mark getfp as nosplit

2025-12-30T01:52:02Z

When compiling with -l, we can't take a stack split here. Fixes #76761 Change-Id: Ieab1225c6259c7f16bb5188aa84bff615d9db2e5 Reviewed-on: https://go-review.googlesource.com/c/go/+/728060 LUCI-TryBot-Result: Go LUCI Auto-Submit: Keith Randall Reviewed-by: Cherry Mui Reviewed-by: Keith Randall (cherry picked from commit d4972f6295aede2ddc35bcb1da5f6351623e9e4d) Reviewed-on: https://go-review.googlesource.com/c/go/+/728581