{"id":"GO-2025-4012","summary":"Lack of limit when parsing cookies can cause memory exhaustion in net/http","details":"Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as \"a=;\", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.","aliases":["BIT-golang-2025-58186","CVE-2025-58186"],"modified":"2026-05-15T10:59:08.245515694Z","published":"2025-10-29T21:50:05Z","related":["CGA-px9r-m4wp-7xgh","RHSA-2026:7291","RHSA-2026:7385"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2025-4012"},"references":[{"type":"REPORT","url":"https://go.dev/issue/75672"},{"type":"FIX","url":"https://go.dev/cl/709855"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.24.8"},{"introduced":"1.25.0"},{"fixed":"1.25.2"}]}],"ecosystem_specific":{"imports":[{"path":"net/http","symbols":["Client.Do","Client.Get","Client.Head","Client.Post","Client.PostForm","Get","Head","ParseCookie","Post","PostForm","Request.Cookie","Request.Cookies","Request.CookiesNamed","Response.Cookies","readCookies","readSetCookies"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-4012.json"}}],"schema_version":"1.7.5","credits":[{"name":"jub0bs"}]}