CVE-2025-61729 (UNKNOWN): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2025-61729	UNKNOWN	stdlib	v1.25.4	1.24.11, 1.25.5	2025-12-02T19:15:51.447Z	2025-12-03T10:18:21.24773468Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/provided:latest	public.ecr.aws/lambda/provided@sha256:c7d5f051b8902752c431af7466546ca25fdf3407fe5a0da8d7450e3a4a57cc32
public.ecr.aws/lambda/provided:al2023	public.ecr.aws/lambda/provided@sha256:c7d5f051b8902752c431af7466546ca25fdf3407fe5a0da8d7450e3a4a57cc32
public.ecr.aws/lambda/provided:al2	public.ecr.aws/lambda/provided@sha256:7b250ff0e1f1e39c350502efd5e409d77631262509dfc1910e72b22be9ae80b4
public.ecr.aws/lambda/python:latest	public.ecr.aws/lambda/python@sha256:e78bfe2edd6206a58448bbeb08164c7c420fc974b38e21cefbcd8ed2e7f2d49c
public.ecr.aws/lambda/python:3.14-preview	public.ecr.aws/lambda/python@sha256:75413a55af1b3213170328c01d102f81ddbb9d8d1308132656b15a61c12925c4
public.ecr.aws/lambda/python:3.13	public.ecr.aws/lambda/python@sha256:e78bfe2edd6206a58448bbeb08164c7c420fc974b38e21cefbcd8ed2e7f2d49c
public.ecr.aws/lambda/python:3.12	public.ecr.aws/lambda/python@sha256:1f37938f6c1c1443c182ae1e0b14bcd34d2f5c55f44d974563f744f7ac141dc8
public.ecr.aws/lambda/python:3.11	public.ecr.aws/lambda/python@sha256:b4d2fef7750fe8ef8cee837b111682ac12d8d36a2b398081387362960496ed2b
public.ecr.aws/lambda/python:3.10	public.ecr.aws/lambda/python@sha256:d9ca9ef4e61752097e21ba610da5a17ef1958242a7f7df279c765093e0639427
public.ecr.aws/lambda/python:3.9	public.ecr.aws/lambda/python@sha256:6db0b91dc1198b002a94e6d88be15fe3cb339206e309681b6dbc1cdc861ccb95
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:8b777a857e5f973f76cd1dc85c8f1d3daf832cc656a8dd2d16c3d862a5ad4661
public.ecr.aws/lambda/nodejs:24-preview	public.ecr.aws/lambda/nodejs@sha256:592e7661c80b13da0a74b3fa135770c746c70b4f6084d3732afc240d56787488
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:8b777a857e5f973f76cd1dc85c8f1d3daf832cc656a8dd2d16c3d862a5ad4661
public.ecr.aws/lambda/nodejs:20	public.ecr.aws/lambda/nodejs@sha256:9e9becb3aea7d7ed09a1eb6a342f4f89936f4e037aeddcc78ea3f185b5bf4a84
public.ecr.aws/lambda/java:latest	public.ecr.aws/lambda/java@sha256:98105684d3ae337f816d98e4245b83f0ae1de2900007b302e0cacd95f57f87c5
public.ecr.aws/lambda/java:21	public.ecr.aws/lambda/java@sha256:98105684d3ae337f816d98e4245b83f0ae1de2900007b302e0cacd95f57f87c5
public.ecr.aws/lambda/java:17	public.ecr.aws/lambda/java@sha256:0530382a888f1abb01663ecedeaab846b65216f1963dee95a935806a9600168f
public.ecr.aws/lambda/java:11	public.ecr.aws/lambda/java@sha256:17fca66b17e6d347c5ca1d1079622cd80b2f9c1a66a8ff2e7e660199cd9781a0
public.ecr.aws/lambda/java:8.al2	public.ecr.aws/lambda/java@sha256:1b317fa2d957a24ae756975102d7a7f20425692eaf8c356639f587c501bb4aa1
public.ecr.aws/lambda/dotnet:latest	public.ecr.aws/lambda/dotnet@sha256:e80df5b68a0c38eb25ac0a8d0c3a7b3e2cd20dd75bb6a41d4921104b9e5ca095
public.ecr.aws/lambda/dotnet:10-preview	public.ecr.aws/lambda/dotnet@sha256:0dd0957bff27a917720c76da9ca963f586f7cfa9f734f3634adc3f0f1187dcaf
public.ecr.aws/lambda/dotnet:9	public.ecr.aws/lambda/dotnet@sha256:e80df5b68a0c38eb25ac0a8d0c3a7b3e2cd20dd75bb6a41d4921104b9e5ca095
public.ecr.aws/lambda/dotnet:8	public.ecr.aws/lambda/dotnet@sha256:b0d5c77ede87ca6b77a4cfdda517db035b04286e44dfdabc3b6c4838b4e6f7e0
public.ecr.aws/lambda/ruby:latest	public.ecr.aws/lambda/ruby@sha256:ce78c22cf4ab9308759900ff17774abdc70979894c8f8ee75396964173e2fef1
public.ecr.aws/lambda/ruby:3.4	public.ecr.aws/lambda/ruby@sha256:ce78c22cf4ab9308759900ff17774abdc70979894c8f8ee75396964173e2fef1
public.ecr.aws/lambda/ruby:3.3	public.ecr.aws/lambda/ruby@sha256:b5f33ad01ea35660841aded480b53ae51505dea61d44cf2e9dc33e41b5234617
public.ecr.aws/lambda/ruby:3.2	public.ecr.aws/lambda/ruby@sha256:bbba5471af118fc742579ab427a35dd78abca6d62d53a3470c94d154fc5ced64

---

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

---

Remediation Steps

• Update the affected package stdlib from version v1.25.4 to 1.24.11, 1.25.5.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.