CVE-2025-58186
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-10-29
Last updated on: 2025-11-04
Assigner: Go Project
Description
Description
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | From 1.25.0 (inc) to 1.25.2 (inc) |
| golang | go | 1.25.2 |
| golang | go | 1.24.8 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because while HTTP headers have a default size limit of 1MB, there is no limit on the number of cookies that can be parsed. An attacker can exploit this by sending many very small cookies (e.g., "a=;"), causing the HTTP server to allocate a large number of data structures, which leads to excessive memory consumption.
How can this vulnerability impact me? :
The vulnerability can cause an HTTP server to consume a large amount of memory, potentially leading to degraded performance, denial of service, or server crashes due to resource exhaustion.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70