CVE-2025-61726
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-28

Last updated on: 2026-02-06

Assigner: Go Project

Description
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-02-06
Generated
2026-05-07
AI Q&A
2026-01-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61726
EUVD
EUVD-2025-206445
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
golang go to 1.24.12 (exc)
golang go From 1.25.0 (inc) to 1.25.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs because the net/url package in Go does not limit the number of query parameters in a URL. Although the overall size of query parameters is usually limited by the maximum request header size, the net/http.Request.ParseForm method can parse very large URL-encoded forms. If a form contains many unique query parameters, parsing it can lead to excessive memory consumption.


How can this vulnerability impact me? :

The vulnerability can cause excessive memory consumption when parsing large URL-encoded forms with many unique query parameters. This could potentially lead to performance degradation or denial of service due to resource exhaustion.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart