Go 1.25.6 and 1.24.12 have been released to address six significant security vulnerabilities in the Go programming language. These updates resolve issues that could lead to denial-of-service (DoS) attacks, arbitrary code execution, and problems with TLS configurations. Developers using Go’s standard library, particularly in web servers or crypto tools, need to upgrade immediately to protect their projects from potential exploitation. One of the critical vulnerabilities involves the `Request.ParseForm` function in the `net/http` package, which can consume excessive memory if maliciously crafted URL-encoded forms are submitted. Another serious flaw lies in the `archive/zip` package, where super-linear filename indexing could allow crafted ZIP files to crash servers. Additionally, the command-line tools have issues, such as `CgoPkgConfig` bypassing flag sanitization, leading to arbitrary code execution and the mishandling of version control system commands that could execute untrusted code. The TLS problems are particularly concerning. The `Config.Clone` function leaks session keys that could facilitate unauthorized session resumptions, and session checks do not properly account for the expiration of the full certificate chain. These vulnerabilities highlight the ongoing need for secure coding practices and vigilant dependency management. Developers are advised to immediately update to the patched versions and rebuild their binaries to mitigate these risks.