The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://go.dev/cl/736712 cve-icon cve-icon
https://go.dev/issue/77101 cve-icon cve-icon
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc cve-icon cve-icon
https://pkg.go.dev/vuln/GO-2026-4341 cve-icon cve-icon
History

Wed, 28 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Title Memory exhaustion in query parameter parsing in net/url
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-01-28T19:30:31.215Z

Reserved: 2025-09-30T15:05:03.605Z

Link: CVE-2025-61726

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-01-28T20:16:09.713

Modified: 2026-01-28T20:16:09.713

Link: CVE-2025-61726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.