CVE-2025-58186

Summary

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected Software

VendorProductVersion RangeStatus
Go standard librarynet/http0 < 1.24.8affected
Go standard librarynet/http1.25.0 < 1.25.2affected

Weaknesses

  • CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References