Skip to content

net/http: memory exhaustion in Request.ParseForm (CVE-2025-61726) #77101

New issue
New issue
Closed
Closed
net/http: memory exhaustion in Request.ParseForm (CVE-2025-61726)#77101
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blockervulncheck or vulndbIssues for the x/vuln or x/vulndb repo
Milestone
Go1.26
@neild

Description

@neild
neild
opened on Jan 7, 2026

When parsing a URL-encoded form net/http may allocate an unexpected amount of
memory when provided a large number of key-value pairs. This can result in a
denial of service due to memory exhaustion.

Thanks to jub0bs for reporting this issue.

This is CVE-2025-61726 and Go issue https://go.dev/issue/77101.

This is a PRIVATE issue for CVE-2025-61726, tracked in http://b/457464435 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3020.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blockervulncheck or vulndbIssues for the x/vuln or x/vulndb repo

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions