Case Study How Showpo Rebuilt Its API Layer for a Global Headless Migration

CVE-2025-61724 Medium · CVSS 5.3 Medium Impact

net/textproto: CPU Exhaustion via Excessive HTTP Response Lines

Exploitable under specific conditions

This CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.

Requires a malicious or compromised backend to return a crafted multi-line HTTP response. The attack path goes through the backend connection, not directly from external clients.

Component

Go standard library (net/textproto)

Disclosed

Oct 8, 2025

CVSS Score

5.3

Description

Go’s net/textproto package constructs response strings through repeated string concatenation when reading multi-line HTTP responses. A backend that returns a response with a very large number of lines can drive excessive CPU consumption in KrakenD, causing a denial of service. Fixed in Go 1.24.8 and Go 1.25.2.

Version summary

Community Edition

2.11.1

addresses this CVE

Affected CE versions

>= 2.0, < 2.11.1

Enterprise Edition

2.11.2

addresses this CVE

Affected EE versions

>= 2.0, < 2.11.2

Upgrade to the addressed version or later to remediate this vulnerability.

References

View CVE-2025-61724 on NVD

Stay up to date with KrakenD releases and important updates