CVE-2025-61726
Published: 28 January 2026
Summary
CVE-2025-61726 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public Go HTTP servers via ParseForm leads directly to application-layer resource exhaustion DoS.
NVD Description
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse…
more
large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Deeper analysisAI
CVE-2025-61726 affects the net/url package in the Go programming language. The package does not impose a limit on the number of query parameters in a URL query. While the overall size of query parameters is typically constrained by maximum request header sizes, the net/http.Request.ParseForm method can still parse large URL-encoded forms. Processing a form with many unique query parameters leads to excessive memory consumption. This issue is mapped to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access can exploit this vulnerability against Go-based HTTP servers that call ParseForm on incoming requests. By sending a specially crafted HTTP request containing a large number of unique query parameters, the attacker triggers unbounded memory allocation during parsing, resulting in denial of service through resource exhaustion.
Mitigation details are available in official Go advisories and resources, including the patch in change log https://go.dev/cl/736712, issue discussion at https://go.dev/issue/77101, announcement at https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc, and vulnerability entry at https://pkg.go.dev/vuln/GO-2026-4341.
Details
- CWE(s)