VDB
CISA-2025-58186
CISA-2025-58186
PUBLISHED
CVSS 5.3 MEDIUM
Reported by Go · Published October 29, 2025
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
Risk Scores
CVSS 3.1
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Go standard library | net/http | 0, 1.25.0 |
| Go standard library | net/http | 0, 1.25.0, 0 |
Timeline
- Oct 29, 2025 CVE Published
- Nov 4, 2025 CVE Updated