Cyber Resilience

CVE-2025-61726

HighDDoS

Published: 28 January 2026

Published
28 January 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 14.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61726 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Golang Go. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-61726 affects the net/url package in the Go programming language. The package does not impose a limit on the number of query parameters in a URL query. While the overall size of query parameters is typically constrained by maximum request header sizes, the net/http.Request.ParseForm method can still parse large URL-encoded forms. Processing a form with many unique query parameters leads to excessive memory consumption. This issue is mapped to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability against Go-based HTTP servers that call ParseForm on incoming requests. By sending a specially crafted HTTP request containing a large number of unique query parameters, the attacker triggers unbounded memory allocation during parsing, resulting in denial of service through resource exhaustion.

Mitigation details are available in official Go advisories and resources, including the patch in change log https://go.dev/cl/736712, issue discussion at https://go.dev/issue/77101, announcement at https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc, and vulnerability entry at https://pkg.go.dev/vuln/GO-2026-4341.

EU & UK References

Vulnerability details

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse…

more

large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public Go HTTP servers via ParseForm leads directly to application-layer resource exhaustion DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32280Same product: Golang Go
CVE-2026-32283Same product: Golang Go
CVE-2026-25679Same product: Golang Go
CVE-2026-27137Same product: Golang Go
CVE-2026-32281Same product: Golang Go
CVE-2025-68121Same product: Golang Go
CVE-2026-27143Same product: Golang Go
CVE-2026-27144Same product: Golang Go
CVE-2025-61731Same product: Golang Go
CVE-2026-27140Same product: Golang Go

Affected Assets

golang
go
≤ 1.24.12 · 1.25.0 — 1.25.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in Go's net/url package by applying the official patch, eliminating unbounded memory allocation during query parameter parsing.

prevent

Implements denial-of-service protections such as request size limits and parameter count throttling at system entry points to block resource exhaustion attacks.

prevent

Restricts the quantity of query parameters in HTTP requests to defined limits, preventing excessive memory consumption from parsing large numbers of unique parameters.

References