CVE-2025-61726

Summary

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected Software

VendorProductVersion RangeStatus
Go standard librarynet/url0 < 1.24.12affected
Go standard librarynet/url1.25.0 < 1.25.6affected

Weaknesses

  • CWE-400: Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

golang: net/url: Memory exhaustion in query parameter parsing in net/url

Additional References

References