{"id":"GO-2026-4341","summary":"Memory exhaustion in query parameter parsing in net/url","details":"The net/url package does not set a limit on the number of query parameters in a query.\n\nWhile the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.","aliases":["BIT-golang-2025-61726","CVE-2025-61726"],"modified":"2026-05-01T10:44:20.067303735Z","published":"2026-01-28T19:08:18Z","related":["CGA-j4jw-ch2g-7f2h","RHSA-2026:10096","RHSA-2026:11749","RHSA-2026:12028","RHSA-2026:12029","RHSA-2026:12030","RHSA-2026:12031","RHSA-2026:12032","RHSA-2026:12033","RHSA-2026:2706","RHSA-2026:2708","RHSA-2026:2709","RHSA-2026:2914","RHSA-2026:2920","RHSA-2026:3035","RHSA-2026:3040","RHSA-2026:3092","RHSA-2026:3187","RHSA-2026:3188","RHSA-2026:3192","RHSA-2026:3193","RHSA-2026:3291","RHSA-2026:3297","RHSA-2026:3298","RHSA-2026:3336","RHSA-2026:3337","RHSA-2026:3340","RHSA-2026:3341","RHSA-2026:3343","RHSA-2026:3391","RHSA-2026:3416","RHSA-2026:3468","RHSA-2026:3469","RHSA-2026:3470","RHSA-2026:3471","RHSA-2026:3472","RHSA-2026:3473","RHSA-2026:3489","RHSA-2026:3506","RHSA-2026:3668","RHSA-2026:3669","RHSA-2026:3699","RHSA-2026:3752","RHSA-2026:3753","RHSA-2026:3812","RHSA-2026:3813","RHSA-2026:3814","RHSA-2026:3815","RHSA-2026:3816","RHSA-2026:3817","RHSA-2026:3818","RHSA-2026:3820","RHSA-2026:3821","RHSA-2026:3822","RHSA-2026:3831","RHSA-2026:3833","RHSA-2026:3835","RHSA-2026:3836","RHSA-2026:3838","RHSA-2026:3839","RHSA-2026:3840","RHSA-2026:3841","RHSA-2026:3843","RHSA-2026:3854","RHSA-2026:3864","RHSA-2026:3875","RHSA-2026:3879","RHSA-2026:3880","RHSA-2026:3898","RHSA-2026:3928","RHSA-2026:3929","RHSA-2026:3930","RHSA-2026:3931","RHSA-2026:3932","RHSA-2026:3958","RHSA-2026:3959","RHSA-2026:3970","RHSA-2026:3971","RHSA-2026:3972","RHSA-2026:3973","RHSA-2026:3974","RHSA-2026:3977","RHSA-2026:3985","RHSA-2026:4164","RHSA-2026:4166","RHSA-2026:4174","RHSA-2026:4177","RHSA-2026:4211","RHSA-2026:4256","RHSA-2026:4264","RHSA-2026:4267","RHSA-2026:4460","RHSA-2026:4672","RHSA-2026:4753","RHSA-2026:4892","RHSA-2026:4901","RHSA-2026:4907","RHSA-2026:4952","RHSA-2026:5022","RHSA-2026:5030","RHSA-2026:5031","RHSA-2026:5076","RHSA-2026:5077","RHSA-2026:5078","RHSA-2026:5079","RHSA-2026:5145","RHSA-2026:5146","RHSA-2026:5327","RHSA-2026:5461","RHSA-2026:5533","RHSA-2026:5544","RHSA-2026:5852","RHSA-2026:5853","RHSA-2026:5968","RHSA-2026:6277","RHSA-2026:6278","RHSA-2026:7676","RHSA-2026:7854","RHSA-2026:9097","RHSA-2026:9098","RHSA-2026:9108","RHSA-2026:9109"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4341","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/736712"},{"type":"REPORT","url":"https://go.dev/issue/77101"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.24.12"},{"introduced":"1.25.0"},{"fixed":"1.25.6"}]}],"ecosystem_specific":{"imports":[{"path":"net/url","symbols":["ParseQuery","URL.Query","parseQuery"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4341.json"}}],"schema_version":"1.7.5","credits":[{"name":"jub0bs"}]}