encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion (CVE-2025-58185)

[nicholashusin]

When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.

Thanks to Jakub Ciolek for reporting this issue.

This is CVE-2025-58185 and Go issue https://go.dev/issue/75671.

---

This is a PRIVATE issue for CVE-2025-58185, tracked in http://b/442562525 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/2700.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #75704 (for 1.24), #75705 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/709841 mentions this issue: [release-branch.go1.24] encoding/asn1: prevent memory exhaustion when parsing using internal/saferio

[gopherbot]

Change https://go.dev/cl/709856 mentions this issue: encoding/asn1: prevent memory exhaustion when parsing using internal/saferio

[gopherbot]

Change https://go.dev/cl/709850 mentions this issue: [release-branch.go1.25] encoding/asn1: prevent memory exhaustion when parsing using internal/saferio