High

Memory exhaustion in Go net/url query parameter parsing

IdentifiersCVE-2025-61726CWE-770· Allocation of Resources Without…

CVE-2025-61726 affects Go's standard library, specifically net/url and code paths that use net/http.Request.ParseForm. The net/url package does not impose a limit on the number of query parameters parsed. Although URL query size is often indirectly constrained by request-header limits, ParseForm can also process large application/x-www-form-urlencoded bodies. An attacker can supply a large form or query string containing many distinct parameter names, causing the parser to allocate and retain excessive memory while building the parsed parameter map. The issue is a resource-consumption flaw that can be triggered through attacker-controlled HTTP input processed by affected Go applications.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause excessive memory consumption in the target Go process, potentially leading to denial of service through resource exhaustion, degraded performance, increased garbage-collection pressure, or process termination/OOM conditions. Based on the provided information, this is an availability impact; no direct evidence is provided for confidentiality, integrity, or code-execution impact.

Mitigation

If you can’t patch tonight, do this now.

Until patched versions can be deployed, reduce exposure by enforcing strict limits on untrusted HTTP input before it reaches ParseForm or equivalent parsing paths. Practical mitigations include limiting request body size, URL length, and total accepted parameter/key count; rejecting requests with unusually high numbers of unique parameters; applying reverse-proxy, WAF, or ingress filtering rules to block oversized or parameter-dense requests; and rate limiting endpoints that parse attacker-controlled URL-encoded data.

Remediation

Patch, then assume compromise.

Upgrade to a Go release that includes the upstream fix for CVE-2025-61726 and rebuild/redeploy affected applications. The provided advisory context references patched Go versions 1.25.6 and 1.24.12 for this issue. If the vulnerable behavior is inherited transitively through statically linked Go binaries or downstream products, update those products to vendor releases that incorporate the fixed Go runtime/library.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GolangGoapplication

Rocky LinuxImage-Builderapplication

Rocky LinuxOsbuild-Composerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

57 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

57 SOURCESView more in app

techrepublic com securityNews

Jan 16, 2026

Go Programming Language 1.26 Patches Several Security Flaws - TechRepublic

Denial-of-service (memory exhaustion) in Go net/http Request.ParseForm when parsing URL-encoded forms with very large numbers of key-value pairs, causing excessive allocations.

cyber security newsNews

Jan 16, 2026

Go 1.25.6 and 1.24.12 Patch Critical Vulnerabilities Lead to DoS and Memory Exhaustion Risks

A denial-of-service vulnerability in Go’s net/http where Request.ParseForm can be forced into memory exhaustion via URL-encoded forms containing excessive key-value pairs.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity27

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-61726

NVD

nvd.nist.gov/vuln/detail/CVE-2025-61726

MITRE CWE · CWE-770

Allocation of Resources Without Limits or…

pkg.go.dev/vuln/GO-2026-4341

Release Notes

groups.google.com/g/golang-announce/c/Vd2tYVM8eUc