Go stdlib CVE-2025-68121

[FiruzTopher]

Hey, I would like to track CVE-2025-68121 here since a scanner raised it in our project.

We use layers:

• opentelemetry-nodejs-0_19_0:1
• opentelemetry-collector-arm64-0_19_0:1

Based on the CVE description (source), the issue affects TLS server applications that:

• accept inbound TLS connections,
• use TLS session resumption,

and dynamically modify TLS client authentication settings (e.g. ClientCAs / RootCAs) in mTLS setups.

OpenTelemetry Lambda layers are typically used as telemetry clients, exporting traces and metrics to external backends. They do not operate as publicly exposed TLS servers, nor do they manage dynamic client CA policies for inbound connections.

Therefore, the vulnerable server-side code path described in CVE-2025-68121 does not appear applicable in standard OpenTelemetry Lambda usage.

We are documenting this here for visibility, as automated tooling may flag it as critical without evaluating runtime context.

The issue is fixed in go version 1.24.13 released 04.02.2026 (source).

Since this repo updated to go version 1.24.11 on 27.01.2026 (source) it will probably be solved the next time go is updated :)

[wpessers]

go versions have been updated, am waiting for the AWS account setup to be able to merge #2188. And then we'll do a new release so that we can close this issue. Thanks for reporting!