Excessive Memory Consumption in net/url Package in Go by Google
CVE-2025-61726

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Net/url
Vendor: CVE Published:; 28 January 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2025-61726?

The net/url package in Go lacks a limit on the number of query parameters that can be processed, which can lead to significant memory consumption when parsing large URL-encoded forms. Although the maximum request header size typically constrains the overall size of query parameters, the net/http.Request.ParseForm method can still handle forms with many unique parameters. This issue may result in performance degradation and resource exhaustion.

Affected Version(s)

net/url 0 < 1.24.12

net/url 1.25.0 < 1.25.6

References

https://go.dev/cl/736712

https://go.dev/issue/77101

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 28, 2026
Vulnerability Reserved
Sep 30, 2025

Credit

jub0bs

CVE-2025-61726 Data

JSON