CVE-2025-61726Allocation of Resources Without Limits or Throttling in Standard Library NET URL

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-1395Dependency on Vulnerable Third-Party Component12 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 90.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GO Standard Library NET URLGithub.com Centrifugal Centrifugo V6Golang GO
Timeline
PublishedJan 28
Latest updateFeb 19

Description

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDgolang/go1.25.01.25.6+1
CVEListV5go_standard_library/net_url1.25.01.25.6+1

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

6
GHSA
Centrifugo v6.6.0 dependency vulnerabilities2026-02-19
OSV
Centrifugo v6.6.0 dependency vulnerabilities2026-02-19
CVEList
Memory exhaustion in query parameter parsing in net/url2026-01-28
GHSA
GHSA-gm9r-q53w-2gh4: The net/url package does not set a limit on the number of query parameters in a query2026-01-28
OSV
Memory exhaustion in query parameter parsing in net/url2026-01-28

📋Vendor Advisories

2
Red Hat
golang: net/url: Memory exhaustion in query parameter parsing in net/url2026-01-28
Debian
CVE-2025-61726: golang-1.15 - The net/url package does not set a limit on the number of query parameters in a ...2025

🕵️Threat Intelligence

2
Wiz
CVE-2025-61726 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
GHSA-j9wf-6r2x-hqmx Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2025-61726 golang: net/url: Memory exhaustion in query parameter parsing in net/url2026-01-28