CVE-2025-61726

Published: Jan 28, 2026

Modified: Jan 29, 2026

PUBLISHED

Description

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Vendor	Product	Versions
Go standard library	net/url	affected `0 - < 1.24.12` affected `1.25.0 - < 1.25.6`

References

https://go.dev/cl/736712

https://go.dev/issue/77101

https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

https://pkg.go.dev/vuln/GO-2026-4341

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-61726

Description

Affected Products

References