CVE-2025-61726

{"id": "CVE-2025-61726", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-61726", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T18:31:39.150633Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security@golang.org", "affectedData": [{"vendor": "Go standard library", "product": "net/url", "versions": [{"status": "affected", "version": "0", "lessThan": "1.24.12", "versionType": "semver"}, {"status": "affected", "version": "1.25.0", "lessThan": "1.25.6", "versionType": "semver"}], "packageName": "net/url", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "parseQuery"}, {"name": "ParseQuery"}, {"name": "URL.Query"}]}]}], "published": "2026-01-28T20:16:09.713", "references": [{"url": "https://go.dev/cl/736712", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://go.dev/issue/77101", "tags": ["Patch"], "source": "security@golang.org"}, {"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc", "tags": ["Mailing List", "Release Notes"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4341", "tags": ["Vendor Advisory"], "source": "security@golang.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption."}, {"lang": "es", "value": "El paquete net/url no establece un l\u00edmite en el n\u00famero de par\u00e1metros de consulta en una consulta. Si bien el tama\u00f1o m\u00e1ximo de los par\u00e1metros de consulta en las URL generalmente est\u00e1 limitado por el tama\u00f1o m\u00e1ximo de la cabecera de solicitud, el m\u00e9todo net/http.Request.ParseForm puede analizar formularios grandes codificados en URL. Analizar un formulario grande que contiene muchos par\u00e1metros de consulta \u00fanicos puede causar un consumo excesivo de memoria."}], "lastModified": "2026-06-17T09:50:48.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21FD9368-8AB3-404B-8599-BBF64EFE3C7B", "versionEndExcluding": "1.24.12"}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A547E844-78D2-4B17-B7A9-73E7B503D2CE", "versionEndExcluding": "1.25.6", "versionStartIncluding": "1.25.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}