CVE-2025-61728

Golang

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-61728 is a vulnerability identified in the `net/http` package of the Go programming language, affecting versions Go 1.25.6 and Go 1.24.12. This issue, also tracked as Go issue 77102, concerns a potential for memory exhaustion when parsing URL-encoded forms. Specifically, the vulnerability arises because the `net/http` package may allocate an unexpectedly large amount of memory when processing a URL-encoded form that contains a significant number of key-value pairs. This excessive memory allocation can lead to a denial of service (DoS) condition due to memory exhaustion. The issue was reported by jub0bs.

Description
-

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

30

  1. Released #golang compression v1.18.3 containing upstream CVE-2025-61728 fix: https://t.co/XNfN4TUq2A

    @sh0dan

    16 Jan 2026

    112 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Go 1.25.6 and 1.24.12 fix 6 CVEs https://t.co/XjElQGk7ZQ CVE-2025-61728 archive/zip: DoS CVE-2025-61726 net/http: Memory exhaustion CVE-2025-68121 crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for chain expiration

    @oss_security

    16 Jan 2026

    917 Impressions

    2 Retweets

    11 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

  3. πŸ₯³ Go 1.26 Release Candidate 2 is released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸƒβ€β™€οΈ Run it in dev! Run it in prod! F

    @golang

    15 Jan 2026

    22045 Impressions

    52 Retweets

    423 Likes

    30 Bookmarks

    4 Replies

    2 Quotes

  4. 🎊 Go 1.25.6 and 1.24.12 are released! πŸ” Security: Includes security fixes for archive/zip (CVE-2025-61728), net/http (CVE-2025-61726), crypto/tls (CVE-2025-68121, CVE-2025-61730), cmd/go (CVE-2025-61731, CVE-2025-68119). πŸ“£ Announcement: https://t.co/seVA1REoeH πŸ“¦ Do

    @golang

    15 Jan 2026

    14651 Impressions

    53 Retweets

    279 Likes

    26 Bookmarks

    4 Replies

    3 Quotes

  5. A Go release scheduled for Thursday, Jan 15th covering CVE-2025-61728 CVE-2025-61726 CVE-2025-68121 CVE-2025-61731 CVE-2025-68119, all currently embargoed. Reports of an SSH 0-day, in context of Go's crypto/ssh module.β€‹β€Œβ£β€Œβ£β€Œβ€Œβ€Œβ€Œβ€Œβ£β£β€Œβ€Œβ€Œβ€Œβ£β€Œβ£β£

    @_mattata

    13 Jan 2026

    327 Impressions

    0 Retweets

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.