VDB

CISA-2025-58186

CISA-2025-58186 PUBLISHED CVSS 5.3 MEDIUM

Reported by Go · Published October 29, 2025

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Risk Scores

CVSS 3.1
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products

VendorProductVersions
Go standard librarynet/http0, 1.25.0
Go standard librarynet/http0, 1.25.0, 0

Timeline

  • Oct 29, 2025 CVE Published
  • Nov 4, 2025 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›