CVE-2025-61726 – This vulnerability in Go's net/url package allo... (How to Fix)

Q: What is the severity of CVE-2025-61726?

CVE-2025-61726 has a CVSS score of 7.5 (HIGH). This vulnerability in Go's net/url package allows attackers to cause denial of service through memory exhaustion by sending HTTP requests with an excessive number of unique query parameters. Any Go application that processes URL-encoded forms via net/http.Request.ParseForm is affected, particularly web servers and API endpoints.

📋 TL;DR

This vulnerability in Go's net/url package allows attackers to cause denial of service through memory exhaustion by sending HTTP requests with an excessive number of unique query parameters. Any Go application that processes URL-encoded forms via net/http.Request.ParseForm is affected, particularly web servers and API endpoints.

💻 Affected Systems

Products:

Go programming language

Versions: All versions before Go 1.24.0 and Go 1.23.7

Operating Systems: All operating systems running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Applications using net/http.Request.ParseForm, net/http.Request.ParseMultipartForm, or similar methods to process URL-encoded data are vulnerable.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to memory exhaustion, potentially requiring service restart and causing extended downtime.

🟠

Likely Case

Degraded performance, increased memory usage, and occasional service timeouts affecting availability.

🟢

If Mitigated

Minimal impact with proper request size limits and monitoring in place.

🌐 Internet-Facing: HIGH - Internet-facing services are directly exposed to malicious requests.

🏢 Internal Only: MEDIUM - Internal services could still be targeted by authenticated users or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with many unique query parameters, which is trivial to automate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.24.0 or Go 1.23.7

Vendor Advisory: https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc

Restart Required: Yes

Instructions:

1. Update Go to version 1.24.0 or 1.23.7. 2. Recompile and redeploy all affected Go applications. 3. Restart services using the updated binaries.

🔧 Temporary Workarounds

Implement request size limits

all

Configure web servers or reverse proxies to limit maximum request size

# For nginx: client_max_body_size 1m;
# For Apache: LimitRequestBody 1048576

Implement rate limiting

all

Limit number of requests per client to prevent abuse

# Example using nginx rate limiting: limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

🧯 If You Can't Patch

Deploy Web Application Firewall (WAF) with request size and parameter count limits
Implement monitoring for abnormal memory usage patterns and alert on spikes

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version' and verify it's below 1.24.0 and not 1.23.7 or higher.

Check Version:

go version

Verify Fix Applied:

Confirm Go version is 1.24.0 or 1.23.7+ with 'go version' and test with sample requests containing many parameters.

📡 Detection & Monitoring

Log Indicators:

High memory usage alerts
HTTP 413 (Payload Too Large) errors
Increased garbage collection activity

Network Indicators:

Unusually large HTTP requests
Requests with excessive query parameters
Spike in request size

SIEM Query:

source="web_logs" AND (uri_query_count > 1000 OR request_size > 1048576)

📊 Metadata

CVE ID: CVE-2025-61726

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.02% exploit probability (5.7th percentile)

Published: January 28, 2026

Last Updated: February 6, 2026

🔗 References

https://go.dev/cl/736712 Patch
https://go.dev/issue/77101 Patch
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc Release Notes,Mailing List
https://pkg.go.dev/vuln/GO-2026-4341 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61726, you might also want to check these: