x/vulndb: potential Go vuln in github.com/microsoft/go-crypto-winnative: CVE-2025-25199

[GoVulnBot]

Advisory CVE-2025-25199 references a vulnerability in the following Go modules:

Module
github.com/microsoft/go-crypto-winnative

Description:
go-crypto-winnative Go crypto backend for Windows using Cryptography API: Next Generation (CNG). Prior to commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41, calls to cng.TLS1PRF don't release the key handle, producing a small memory leak every time. Commit f49c8e1379ea4b147d5bff1b3be5b0ff45792e41 contains a fix for the issue. The fix is included in versions 1.23.6-2 and 1.22.12-2 of the Microsoft build of go, as well as in the pseudoversion 0.0.0-20250211154640-f49c8e1379ea of the github.com/microsoft/go-crypto-winnative Go package.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-25199
• FIX: microsoft/go-crypto-winnative@f49c8e1
• WEB: GHSA-29c6-3hcj-89cf

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/microsoft/go-crypto-winnative
      vulnerable_at: 0.0.0-20250211154640-f49c8e1379ea
summary: CVE-2025-25199 in github.com/microsoft/go-crypto-winnative
cves:
    - CVE-2025-25199
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-25199
    - fix: https://github.com/microsoft/go-crypto-winnative/commit/f49c8e1379ea4b147d5bff1b3be5b0ff45792e41
    - web: https://github.com/microsoft/go-crypto-winnative/security/advisories/GHSA-29c6-3hcj-89cf
source:
    id: CVE-2025-25199
    created: 2025-02-12T19:01:32.614047384Z
review_status: UNREVIEWED