Skip to content

net/http: lack of limit when parsing cookies can cause memory exhaustion (CVE-2025-58186) #75672

New issue
New issue
Closed
Closed
net/http: lack of limit when parsing cookies can cause memory exhaustion (CVE-2025-58186)#75672
Labels
NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker
Milestone
Go1.26
@nicholashusin

Description

@nicholashusin
nicholashusin
opened on Sep 30, 2025

Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.

Thanks to jub0bs for reporting this issue.

This is CVE-2025-58186 and Go issue https://go.dev/issue/75672.

This is a PRIVATE issue for CVE-2025-58186, tracked in http://b/442560983 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/2720.

/cc @golang/security and @golang/release

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsFixThe path to resolution is known, but the work has not been done.Securityrelease-blocker

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions