CVE-2025-61726
Published: 28 January 2026
Summary
CVE-2025-61726 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-61726 affects the net/url package in the Go programming language. The package does not impose a limit on the number of query parameters in a URL query. While the overall size of query parameters is typically constrained by maximum request header sizes, the net/http.Request.ParseForm method can still parse large URL-encoded forms. Processing a form with many unique query parameters leads to excessive memory consumption. This issue is mapped to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated attacker with network access can exploit this vulnerability against Go-based HTTP servers that call ParseForm on incoming requests. By sending a specially crafted HTTP request containing a large number of unique query parameters, the attacker triggers unbounded memory allocation during parsing, resulting in denial of service through resource exhaustion.
Mitigation details are available in official Go advisories and resources, including the patch in change log https://go.dev/cl/736712, issue discussion at https://go.dev/issue/77101, announcement at https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc, and vulnerability entry at https://pkg.go.dev/vuln/GO-2026-4341.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206445
Vulnerability details
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse…
more
large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public Go HTTP servers via ParseForm leads directly to application-layer resource exhaustion DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the flaw in Go's net/url package by applying the official patch, eliminating unbounded memory allocation during query parameter parsing.
Implements denial-of-service protections such as request size limits and parameter count throttling at system entry points to block resource exhaustion attacks.
Restricts the quantity of query parameters in HTTP requests to defined limits, preventing excessive memory consumption from parsing large numbers of unique parameters.