- Description
- The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
- Source
- security@golang.org
- NVD status
- Analyzed
- Products
- go
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- nvd@nist.gov
- CWE-770
- Hype score
- Not currently trending
π Lambda Watchdog detected that CVE-2025-61726 is no longer present in latest AWS Lambda base image scans. https://t.co/wBXcevU4un #AWS #Lambda #Security #CVE #DevOps #SecOps
@LambdaWatchdog
23 Feb 2026
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
π¨ New HIGH CVE detected in AWS Lambda π¨ CVE-2025-61726 impacts libcap in 20 Lambda base images. Details: https://t.co/wBXcevU4un More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless
@LambdaWatchdog
8 Feb 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
π Lambda Watchdog detected that CVE-2025-61726 is no longer present in latest AWS Lambda base image scans. https://t.co/WfXf9keUSw #AWS #Lambda #Security #CVE #DevOps #SecOps
@LambdaWatchdog
6 Feb 2026
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Go language (golang) users: A memory exhaustion vulnerability (CVE-2025-61726) in net/url query parsing may lead to service disruption. Consider updating to address this #golang #vulnerability #infosec. https://t.co/4jWh9WvWdJ
@pulsepatchio
1 Feb 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-61726 The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the β¦ https://t.co/HgBQCfwBvp
@CVEnew
28 Jan 2026
138 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration
@oss_security
16 Jan 2026
917 Impressions
2 Retweets
11 Likes
2 Bookmarks
1 Reply
0 Quotes
π₯³ Go 1.26 Release Candidate 2 is released! π Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πββοΈ Run it in dev! Run it in prod! F
@golang
15 Jan 2026
22045 Impressions
52 Retweets
423 Likes
30 Bookmarks
4 Replies
2 Quotes
π Go 1.25.6 and 1.24.12 are released! π Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). π£ Announcement: https://t.co/seVA1REoeH π¦ Do
@golang
15 Jan 2026
14651 Impressions
53 Retweets
279 Likes
26 Bookmarks
4 Replies
3 Quotes
A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.βββ£ββ£ββββββ£β£βββββ£ββ£β£
@_mattata
13 Jan 2026
327 Impressions
0 Retweets
5 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21FD9368-8AB3-404B-8599-BBF64EFE3C7B",
"versionEndExcluding": "1.24.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A547E844-78D2-4B17-B7A9-73E7B503D2CE",
"versionEndExcluding": "1.25.6",
"versionStartIncluding": "1.25.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]