CVE-2025-61726

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://go.dev/cl/736712	Patch
https://go.dev/issue/77101	Patch
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc	Release Notes Mailing List
https://pkg.go.dev/vuln/GO-2026-4341	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

History

No history.

Information

Published : 2026-01-28 20:16

Updated : 2026-02-06 18:47

NVD link : CVE-2025-61726

Mitre link : CVE-2025-61726

CVE.ORG link : CVE-2025-61726

JSON object : View

Products Affected

golang

go

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-61726", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-01-28T20:16:09.713", "references": [{"url": "https://go.dev/cl/736712", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/77101", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc", "tags": ["Release Notes", "Mailing List"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4341", "tags": ["Vendor Advisory"], "source": "security@golang.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption."}, {"lang": "es", "value": "El paquete net/url no establece un l\u00edmite en el n\u00famero de par\u00e1metros de consulta en una consulta. Si bien el tama\u00f1o m\u00e1ximo de los par\u00e1metros de consulta en las URL generalmente est\u00e1 limitado por el tama\u00f1o m\u00e1ximo de la cabecera de solicitud, el m\u00e9todo net/http.Request.ParseForm puede analizar formularios grandes codificados en URL. Analizar un formulario grande que contiene muchos par\u00e1metros de consulta \u00fanicos puede causar un consumo excesivo de memoria."}], "lastModified": "2026-02-06T18:47:34.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21FD9368-8AB3-404B-8599-BBF64EFE3C7B", "versionEndExcluding": "1.24.12"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A547E844-78D2-4B17-B7A9-73E7B503D2CE", "versionEndExcluding": "1.25.6", "versionStartIncluding": "1.25.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}