CVE-2025-61728

Published Jan 28, 2026

Last updated 4 months ago

CVSS medium 6.5
Golang
AWS

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-61728 is a vulnerability identified in the `net/http` package of the Go programming language, affecting versions Go 1.25.6 and Go 1.24.12. This issue, also tracked as Go issue 77102, concerns a potential for memory exhaustion when parsing URL-encoded forms. Specifically, the vulnerability arises because the `net/http` package may allocate an unexpectedly large amount of memory when processing a URL-encoded form that contains a significant number of key-value pairs. This excessive memory allocation can lead to a denial of service (DoS) condition due to memory exhaustion. The issue was reported by jub0bs.

Description
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Source
security@golang.org
NVD status
Analyzed
Products
go

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

nvd@nist.gov
CWE-770

Social media

Hype score
Not currently trending

  1. πŸ” Lambda Watchdog detected that CVE-2025-61728 is no longer present in latest AWS Lambda base image scans. https://t.co/S4lJuFVzW8 #AWS #Lambda #Security #CVE #DevOps #SecOps

    @LambdaWatchdog

    23 Feb 2026

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 New HIGH CVE detected in AWS Lambda 🚨 CVE-2025-61728 impacts libcap in 20 Lambda base images. Details: https://t.co/S4lJuFVzW8 More: https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless

    @LambdaWatchdog

    8 Feb 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. πŸ” Lambda Watchdog detected that CVE-2025-61728 is no longer present in latest AWS Lambda base image scans. https://t.co/vyqPfUP0RB #AWS #Lambda #Security #CVE #DevOps #SecOps

    @LambdaWatchdog

    6 Feb 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-61728 archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when … https://t.co/UgjkZcZJzN

    @CVEnew

    28 Jan 2026

    131 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Top 5 Trending CVEs: 1 - CVE-2023-20198 2 - CVE-2025-32711 3 - CVE-2025-20393 4 - CVE-2025-61728 5 - CVE-2026-22812 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    18 Jan 2026

    136 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 Go Releases Security Updates Fixing Memory-Exhaustion ZIP DoS and Multiple Runtime Risks Go 1.25.6 and 1.24.12 patch six vulnerabilities, including a high-impact archive/zip flaw (CVE-2025-61728) that can trigger super-linear processing and memory/CPU exhaustion when opening

    @ThreatSynop

    16 Jan 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Released #golang compression v1.18.3 containing upstream CVE-2025-61728 fix: https://t.co/XNfN4TUq2A

    @sh0dan

    16 Jan 2026

    112 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration

    @oss_security

    16 Jan 2026

    917 Impressions

    2 Retweets

    11 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  9. πŸ₯³ Go 1.26 Release Candidate 2 is released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸƒβ€β™€οΈ Run it in dev! Run it in prod! F

    @golang

    15 Jan 2026

    22045 Impressions

    52 Retweets

    423 Likes

    30 Bookmarks

    4 Replies

    2 Quotes

  10. 🎊 Go 1.25.6 and 1.24.12 are released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸ“£ Announcement: https://t.co/seVA1REoeH πŸ“¦ Do

    @golang

    15 Jan 2026

    14651 Impressions

    53 Retweets

    279 Likes

    26 Bookmarks

    4 Replies

    3 Quotes

  11. A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.β€‹β€Œβ£β€Œβ£β€Œβ€Œβ€Œβ€Œβ€Œβ£β£β€Œβ€Œβ€Œβ€Œβ£β€Œβ£β£

    @_mattata

    13 Jan 2026

    327 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. CVE-2024-31884
  2. Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.β€’CVE-2026-8838
  3. Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially crafted model artifacts, achieving code execution in inference containers. This issue requires a remote authenticated actor with permissions to call SageMaker describe APIs and S3 write access to the model artifact path. To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any models previously created with ModelBuilder using the updated SDK.β€’CVE-2026-8596
  4. An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later.β€’CVE-2026-8178
  5. A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated.β€’CVE-2026-42501

References

Sources include official advisories and independent security research.