CVE-2025-61726
published 2026-01-28CVE-2025-61726: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.94%
77.7th percentile
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| debian | golang-1.25 | < golang-1.24 1.24.12-1 (forky) | golang-1.24 1.24.12-1 (forky) |
| github.com | centrifugal_centrifugo_v6 | >= 0 < 6.6.1 | 6.6.1 |
| go_standard_library | net_url | < 1.24.12 | 1.24.12 |
| go_standard_library | net_url | >= 1.25.0 < 1.25.6 | 1.25.6 |
| golang | go | < 1.24.12 | 1.24.12 |
| golang | go | >= 1.25.0 < 1.25.6 | 1.25.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: net/url: Memory exhaustion in query parameter parsing in net/url
vendor_redhat·2026-01-28·CVSS 7.5
CVE-2025-61726 [HIGH] CWE-770 golang: net/url: Memory exhaustion in query parameter parsing in net/url
golang: net/url: Memory exhaustion in query parameter parsing in net/url
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted HTTP request containing a massive number of query paramete
Debian
CVE-2025-61726: golang-1.15 - The net/url package does not set a limit on the number of query parameters in a ...
vendor_debian·2025·CVSS 7.5
CVE-2025-61726 [HIGH] CVE-2025-61726: golang-1.15 - The net/url package does not set a limit on the number of query parameters in a ...
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Scope: local
bullseye: open
VulDB
net-url up to 1.24.11/1.25.5 on Go Request Header resource consumption (Nessus ID 297011 / WID-SEC-2026-0129)
vuldb·2026-07-01·CVSS 7.5
CVE-2025-61726 [HIGH] net-url up to 1.24.11/1.25.5 on Go Request Header resource consumption (Nessus ID 297011 / WID-SEC-2026-0129)
A vulnerability marked as problematic has been reported in net-url up to 1.24.11/1.25.5 on Go. This vulnerability affects unknown code of the component Request Header Handler. This manipulation causes resource consumption.
This vulnerability is handled as CVE-2025-61726. The attack can be initiated remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
Centrifugo v6.6.0 dependency vulnerabilities
ghsa·2026-02-19·CVSS 7.5
CVE-2025-68121 [HIGH] CWE-1395 Centrifugo v6.6.0 dependency vulnerabilities
Centrifugo v6.6.0 dependency vulnerabilities
### Summary
Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and
statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known
CVEs**
**Go standard library — compiled with Go 1.25.5:**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |
**Direct dependency `github.com/quic-go/webtransport-go` — pinned at v0.9.0
(`go.mod` line 34):**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-202
OSV
Centrifugo v6.6.0 dependency vulnerabilities
osv·2026-02-19·CVSS 7.5
CVE-2025-68121 [HIGH] Centrifugo v6.6.0 dependency vulnerabilities
Centrifugo v6.6.0 dependency vulnerabilities
### Summary
Centrifugo v6.6.0 binary is compiled with **Go 1.25.5** and
statically links `github.com/quic-go/webtransport-go v0.9.0`, having **7 known
CVEs**
**Go standard library — compiled with Go 1.25.5:**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2025-68121 | **CRITICAL** | 10.0 | Go 1.25.7, 1.24.13 |
| CVE-2025-61726 | HIGH | 7.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61728 | MEDIUM | 6.5 | Go 1.25.6, 1.24.12 |
| CVE-2025-61730 | MEDIUM | 5.3 | Go 1.25.6, 1.24.12 |
**Direct dependency `github.com/quic-go/webtransport-go` — pinned at v0.9.0
(`go.mod` line 34):**
| CVE | Severity | CVSS | Fixed In |
|-----|----------|------|----------|
| CVE-2026-21434 | MEDIUM | 5.3 | webtransport-go v0.10.0 |
| CVE-202
GHSA
GHSA-gm9r-q53w-2gh4: The net/url package does not set a limit on the number of query parameters in a query
ghsa_unreviewed·2026-01-28
CVE-2025-61726 [HIGH] CWE-770 GHSA-gm9r-q53w-2gh4: The net/url package does not set a limit on the number of query parameters in a query
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
OSV
Memory exhaustion in query parameter parsing in net/url
osv·2026-01-28
CVE-2025-61726 Memory exhaustion in query parameter parsing in net/url
Memory exhaustion in query parameter parsing in net/url
The net/url package does not set a limit on the number of query parameters in a query.
While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
OSV
CVE-2025-61726: The net/url package does not set a limit on the number of query parameters in a query
osv·2026-01-28·CVSS 7.5
CVE-2025-61726 [HIGH] CVE-2025-61726: The net/url package does not set a limit on the number of query parameters in a query
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-61726 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-61726 [HIGH] CVE-2025-61726 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61726 :
cAdvisor vulnerability analysis and mitigation
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Source : NVD
## 7.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
cAdvisor
Docker
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gcp-compute-per
Wiz
GHSA-j9wf-6r2x-hqmx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68121 [HIGH] GHSA-j9wf-6r2x-hqmx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-j9wf-6r2x-hqmx :
vulnerability analysis and mitigation
## Summary
github.com/quic-go/webtransport-go v0.9.0
Go standard library — compiled with Go 1.25.5:
CVE-2025-68121
CRITICAL
10.0
Go 1.25.7, 1.24.13
CVE-2025-61726
HIGH
7.5
Go 1.25.6, 1.24.12
CVE-2025-61728
MEDIUM
6.5
Go 1.25.6, 1.24.12
CVE-2025-61730
MEDIUM
5.3
Go 1.25.6, 1.24.12
github.com/quic-go/webtransport-go
go.mod
CVE-2026-21434
MEDIUM
5.3
webtransport-go v0.10.0
CVE-2026-21435
MEDIUM
5.3
webtransport-go v0.10.0
CVE-2026-21438
MEDIUM
5.3
webtransport-go v0.10.0
Source : NVD
Published February 19, 2026
Severity MEDIUM
CNA Score N/A
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploit
Bugzilla
CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url
bugzilla·2026-01-28·CVSS 7.5
CVE-2025-61726 [HIGH] CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url
CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:2706 https://access.redhat.com/errata/RHSA-2026:2706
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:2708 https://access.redhat.com/errata/RHSA-2026:2708
---
This issu
https://go.dev/cl/736712https://go.dev/issue/77101https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUchttps://pkg.go.dev/vuln/GO-2026-4341https://access.redhat.com/errata/RHSA-2026:10096https://access.redhat.com/errata/RHSA-2026:10104https://access.redhat.com/errata/RHSA-2026:10184https://access.redhat.com/errata/RHSA-2026:10225https://access.redhat.com/errata/RHSA-2026:10250https://access.redhat.com/errata/RHSA-2026:11408https://access.redhat.com/errata/RHSA-2026:11414https://access.redhat.com/errata/RHSA-2026:11747https://access.redhat.com/errata/RHSA-2026:11749https://access.redhat.com/errata/RHSA-2026:12028https://access.redhat.com/errata/RHSA-2026:12029https://access.redhat.com/errata/RHSA-2026:12030https://access.redhat.com/errata/RHSA-2026:12031https://access.redhat.com/errata/RHSA-2026:12032https://access.redhat.com/errata/RHSA-2026:12033https://access.redhat.com/errata/RHSA-2026:12279https://access.redhat.com/errata/RHSA-2026:12282https://access.redhat.com/errata/RHSA-2026:13542https://access.redhat.com/errata/RHSA-2026:13548https://access.redhat.com/errata/RHSA-2026:13571https://access.redhat.com/errata/RHSA-2026:14100https://access.redhat.com/errata/RHSA-2026:14774https://access.redhat.com/errata/RHSA-2026:14868https://access.redhat.com/errata/RHSA-2026:14879https://access.redhat.com/errata/RHSA-2026:15091https://access.redhat.com/errata/RHSA-2026:15984https://access.redhat.com/errata/RHSA-2026:16102https://access.redhat.com/errata/RHSA-2026:16696https://access.redhat.com/errata/RHSA-2026:17040https://access.redhat.com/errata/RHSA-2026:17084https://access.redhat.com/errata/RHSA-2026:17446https://access.redhat.com/errata/RHSA-2026:17460https://access.redhat.com/errata/RHSA-2026:17463https://access.redhat.com/errata/RHSA-2026:17468https://access.redhat.com/errata/RHSA-2026:17595https://access.redhat.com/errata/RHSA-2026:17598https://access.redhat.com/errata/RHSA-2026:18913https://access.redhat.com/errata/RHSA-2026:19013https://access.redhat.com/errata/RHSA-2026:19132https://access.redhat.com/errata/RHSA-2026:19375https://access.redhat.com/errata/RHSA-2026:19634https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:20041https://access.redhat.com/errata/RHSA-2026:21017https://access.redhat.com/errata/RHSA-2026:21657https://access.redhat.com/errata/RHSA-2026:21691https://access.redhat.com/errata/RHSA-2026:22450https://access.redhat.com/errata/RHSA-2026:22627https://access.redhat.com/errata/RHSA-2026:22714https://access.redhat.com/errata/RHSA-2026:22937https://access.redhat.com/errata/RHSA-2026:23228https://access.redhat.com/errata/RHSA-2026:23361https://access.redhat.com/errata/RHSA-2026:24977https://access.redhat.com/errata/RHSA-2026:25089https://access.redhat.com/errata/RHSA-2026:25127https://access.redhat.com/errata/RHSA-2026:25248https://access.redhat.com/errata/RHSA-2026:25250https://access.redhat.com/errata/RHSA-2026:25251https://access.redhat.com/errata/RHSA-2026:25252https://access.redhat.com/errata/RHSA-2026:25253https://access.redhat.com/errata/RHSA-2026:26420https://access.redhat.com/errata/RHSA-2026:26527https://access.redhat.com/errata/RHSA-2026:26541https://access.redhat.com/errata/RHSA-2026:26636https://access.redhat.com/errata/RHSA-2026:2681https://access.redhat.com/errata/RHSA-2026:2706https://access.redhat.com/errata/RHSA-2026:2708https://access.redhat.com/errata/RHSA-2026:2709https://access.redhat.com/errata/RHSA-2026:2754https://access.redhat.com/errata/RHSA-2026:28047https://access.redhat.com/errata/RHSA-2026:2844https://access.redhat.com/errata/RHSA-2026:28441https://access.redhat.com/errata/RHSA-2026:2914https://access.redhat.com/errata/RHSA-2026:2920https://access.redhat.com/errata/RHSA-2026:3035https://access.redhat.com/errata/RHSA-2026:3040https://access.redhat.com/errata/RHSA-2026:3089https://access.redhat.com/errata/RHSA-2026:3092https://access.redhat.com/errata/RHSA-2026:3184https://access.redhat.com/errata/RHSA-2026:3186https://access.redhat.com/errata/RHSA-2026:3187https://access.redhat.com/errata/RHSA-2026:3188https://access.redhat.com/errata/RHSA-2026:3192https://access.redhat.com/errata/RHSA-2026:3193https://access.redhat.com/errata/RHSA-2026:3291https://access.redhat.com/errata/RHSA-2026:3296https://access.redhat.com/errata/RHSA-2026:3297https://access.redhat.com/errata/RHSA-2026:3298https://access.redhat.com/errata/RHSA-2026:3336https://access.redhat.com/errata/RHSA-2026:3337https://access.redhat.com/errata/RHSA-2026:3340https://access.redhat.com/errata/RHSA-2026:3341https://access.redhat.com/errata/RHSA-2026:3343https://access.redhat.com/errata/RHSA-2026:3391https://access.redhat.com/errata/RHSA-2026:3416https://access.redhat.com/errata/RHSA-2026:3427
+ 170 more references
2026-01-28
Published