Go net/url: MEM BOMB via Unlimited Query Param Count
CVE-2025-61726 Published on January 28, 2026

Memory exhaustion in query parameter parsing in net/url
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Github Repository NVD

Vulnerability Analysis

CVE-2025-61726 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

Allocation of Resources Without Limits or Throttling

The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.


Products Associated with CVE-2025-61726

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Kafka
 
Red Hat Ansible Automation Platform
 
Red Hat Ansible Automation Platform Developer
 
Red Hat Rhel Els
 
Red Hat Ansible Automation Platform Inside
 
Red Hat Openshift
 
Red Hat Cryostat
 
Red Hat Openstack
 
Red Hat Satellite
 
Red Hat Satellite Capsule
 
Red Hat Satellite Utils
 
Red Hat Enterprise Linux Eus
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Rhel Aus
 
Red Hat Rhel Eus Long Life
 
Red Hat Rhel E4s
 
Red Hat Rhel Tus
 
Red Hat Rhel Eus
 
Red Hat Cert Manager
 
Red Hat Openshift Custom Metrics Autoscaler
 
Red Hat Devworkspace
 
Red Hat Apache Camel Hawtio
 
Red Hat Logging
 
Red Hat Multicluster Globalhub
 
Red Hat Network Observ Optr
 
Red Hat Openshift Api Data Protection
 
Red Hat Openshift Compliance Operator
 
Red Hat Source To Image
 
Red Hat Openshift File Integrity Operator
 
Red Hat Acm
 
Red Hat Advanced Cluster Security
 
Red Hat Rhdh
 
Red Hat Hummingbird
 
Red Hat Lightspeed For Runtimes
 
Red Hat Openshift Ai
 
Red Hat Openshift Builds
 
Red Hat Openshift Devspaces
 
Red Hat Openshift Gitops
 
Red Hat Service Mesh
 
Red Hat Openshift Distributed Tracing
 
Red Hat Openshift Data Foundation
 
Red Hat Quay
 
Red Hat Trusted Artifact Signer
 
Red Hat Rhui
 
Red Hat Webterminal
 
Red Hat Amq Streams
 
Red Hat Zero Trust Workload Identity Manager
 
Red Hat Mirror Registry
 
Red Hat Multicluster Engine
 
Red Hat Assisted Installer
 
Red Hat Confidential Compute Attestation
 
Red Hat Deployment Validator Operator
 
Red Hat External Secrets Operator
 
Red Hat Ext Dns Optr
 
Red Hat Workload Availability Far
 
Red Hat Gatekeeper
 
Red Hat Lvms
 
Red Hat Workload Availability Mdr
 
Red Hat Migration Toolkit Applications
 
Red Hat Rhmt
 
Red Hat Multiarch Tuning Operator
 
Red Hat Workload Availability Nhc
 
Red Hat Workload Availability Nmo
 
Red Hat Ocp Tools
 
Red Hat Openshift Lightspeed
 
Red Hat Openshift Pipelines
 
Red Hat Serverless
 
Red Hat 3scale Amp
 
Red Hat Amq Clients
 
Red Hat Ceph Storage
 
Red Hat Certifications
 
Red Hat Connectivity Link
 
Red Hat Edge Manager
 
Red Hat Openshift Cluster Manager Cli
 
Red Hat Windows Machine Config
 
Red Hat Openshift Service On Aws
 
Red Hat Container Native Virtualization
 
Red Hat Service Interconnect
 
Red Hat Openshift Ironic
 
Red Hat Openshift Power Monitoring
 

Affected Versions

Go standard library net/url: Red Hat Ansible Automation Platform 2.6 for RHEL 10: Red Hat Enterprise Linux Server (v. 7 ELS): Red Hat Ansible Automation Platform 2.4 for RHEL 8: Red Hat Ansible Automation Platform 2.5 for RHEL 8: Red Hat OpenShift Container Platform 4.12: Red Hat OpenShift Container Platform 4.13: Red Hat OpenShift Container Platform 4.16: Red Hat OpenShift Container Platform 4.17: Red Hat OpenShift Container Platform 4.18: Red Hat Ansible Automation Platform 2.4 for RHEL 9: Red Hat Ansible Automation Platform 2.5 for RHEL 9: Red Hat Ansible Automation Platform 2.6 for RHEL 9: Red Hat Cryostat 4 on RHEL 9: Red Hat OpenStack Platform 17.1: Red Hat OpenShift Container Platform 4.19: Red Hat Satellite 6.18 for RHEL 9: Red Hat Enterprise Linux AppStream EUS (v. 10.0): Red Hat Enterprise Linux AppStream (v. 10): Red Hat Enterprise Linux AppStream (v. 8): Red Hat Enterprise Linux AppStream AUS (v. 8.2): Red Hat Enterprise Linux AppStream AUS (v.8.4): Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4): Red Hat Enterprise Linux AppStream AUS (v.8.6): Red Hat Enterprise Linux AppStream E4S (v.8.6): Red Hat Enterprise Linux AppStream TUS (v.8.6): Red Hat Enterprise Linux AppStream E4S (v.8.8): Red Hat Enterprise Linux AppStream TUS (v.8.8): Red Hat Enterprise Linux AppStream E4S (v.9.0): Red Hat Enterprise Linux AppStream E4S (v.9.2): Red Hat Enterprise Linux AppStream EUS (v.9.4): Red Hat Enterprise Linux AppStream EUS (v.9.6): Red Hat Enterprise Linux AppStream (v. 9): Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0): Red Hat Enterprise Linux CodeReady Linux Builder (v. 10): Red Hat CodeReady Linux Builder EUS (v.9.4): Red Hat CodeReady Linux Builder EUS (v.9.6): Red Hat Enterprise Linux CodeReady Linux Builder (v. 9): Cert Manager support for Red Hat OpenShift release 1.17: Red Hat Custom Metric Autoscaler 2.19: Red Hat DevWorkspace Operator 0.4: Red Hat HawtIO HawtIO 4.3.1: Red Hat HawtIO HawtIO 4.4.0: Logging Subsystem for Red Hat OpenShift 6.0: Logging Subsystem for Red Hat OpenShift 6.2: Logging Subsystem for Red Hat OpenShift 6.3: Logging Subsystem for Red Hat OpenShift 6.4: Red Hat Multicluster Global Hub 1.4.5: Red Hat Multicluster Global Hub 1.5.4: Red Hat Multicluster Global Hub 1.6.2: Red Hat Network Observability (NETOBSERV) 1.11.2: Red Hat OpenShift API for Data Protection 1.4: Red Hat OpenShift API for Data Protection 1.5: Red Hat OpenShift Compliance Operator 1: Red Hat OpenShift Developer Tools and Services 1.6.2: Red Hat OpenShift File Integrity Operator - FIO 1: Red Hat Advanced Cluster Management for Kubernetes 2.13: Red Hat Advanced Cluster Management for Kubernetes 2.14: Red Hat Advanced Cluster Management for Kubernetes 2.15: Red Hat Advanced Cluster Security for Kubernetes 4.8: Red Hat Advanced Cluster Security for Kubernetes 4.9: Red Hat Ansible Automation Platform 2.6: Red Hat Developer Hub 1.8: Red Hat Hardened Images: Red Hat Lightspeed (formerly Insights) for Runtimes 1: Red Hat OpenShift AI 2.16: Red Hat OpenShift AI 2.25: Red Hat OpenShift AI 3.3: Red Hat OpenShift Builds 1.6.5: Red Hat OpenShift Container Platform 4.14: Red Hat OpenShift Container Platform 4.15: Red Hat OpenShift Container Platform 4.20: Red Hat OpenShift Dev Spaces (RHOSDS) 3.26: Red Hat OpenShift Dev Spaces 3.27: Red Hat OpenShift GitOps 1.17: Red Hat OpenShift GitOps 1.18: Red Hat OpenShift GitOps 1.19: Red Hat OpenShift Service Mesh 2.6: Red Hat OpenShift Service Mesh 3.0: Red Hat OpenShift Service Mesh 3.1: Red Hat OpenShift Service Mesh 3.2: Red Hat OpenShift distributed tracing 3.9.3: Red Hat OpenStack Services on OpenShift 18: Red Hat Openshift Data Foundation 4.18: Red Hat Openshift Data Foundation 4.19: Red Hat Quay 3.12: Red Hat Quay 3.14: Red Hat Quay 3.15: Red Hat Quay 3.16: Red Hat Quay 3.1: Red Hat Quay 3.9: Red Hat Satellite 6.18: Red Hat Trusted Artifact Signer 1.3: Red Hat Update Infrastructure 5: Red Hat Web Terminal 1.11: Red Hat Web Terminal 1.12: Red Hat Web Terminal 1.13: Red Hat Web Terminal 1.14: Red Hat Web Terminal 1.15: Red Hat Streams for Apache Kafka 3.2.0: Red Hat Zero Trust Workload Identity Manager 1: mirror registry for Red Hat OpenShift 2.0: Red Hat multicluster engine for Kubernetes 2.10: Red Hat multicluster engine for Kubernetes 2.6: Red Hat multicluster engine for Kubernetes 2.7: Red Hat multicluster engine for Kubernetes 2.8: Red Hat multicluster engine for Kubernetes 2.9: Assisted Installer for Red Hat OpenShift Container Platform 2: cert-manager Operator for Red Hat OpenShift: Red Hat Confidential Compute Attestation: Red Hat Cryostat 4: Custom Metric Autoscaler operator for Red Hat Openshift: Red Hat Deployment Validation Operator: External Secrets Operator for Red Hat OpenShift: Red Hat ExternalDNS Operator: Red Hat Fence Agents Remediation Operator: Red Hat File Integrity Operator: Red Hat Gatekeeper 3: Red Hat Logical Volume Manager Storage: Red Hat Machine Deletion Remediation Operator: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Containers: mirror registry for Red Hat OpenShift: Red Hat Multiarch Tuning Operator: Red Hat Multicluster Engine for Kubernetes: Red Hat Node HealthCheck Operator: Red Hat Node Maintenance Operator: Red Hat OpenShift API for Data Protection: Red Hat OpenShift Developer Tools and Services: Red Hat OpenShift Lightspeed: Red Hat OpenShift Pipelines: Red Hat OpenShift Serverless: Red Hat OpenShift Service Mesh 2: Red Hat OpenShift Service Mesh 3: Red Hat 3scale API Management Platform 2: Red Hat Advanced Cluster Management for Kubernetes 2: Red Hat AMQ Clients: Red Hat Ansible Automation Platform 2: Red Hat Ceph Storage 5: Red Hat Ceph Storage 6: Red Hat Ceph Storage 7: Red Hat Ceph Storage 8: Red Hat Certification Program for Red Hat Enterprise Linux 9: Red Hat Connectivity Link 1: Red Hat Edge Manager 1: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Cluster Manager CLI: Red Hat OpenShift Container Platform 4: Red Hat OpenShift distributed tracing 3: Red Hat OpenShift for Windows Containers: Red Hat OpenShift on AWS: Red Hat OpenShift Virtualization 4: Red Hat OpenStack Platform 16.2: Red Hat OpenStack Platform 18.0: Red Hat Quay 3: Red Hat Satellite 6: Red Hat Service Interconnect 1: Red Hat Service Interconnect 2: Red Hat Zero Trust Workload Identity Manager - Tech Preview: Ironic content for Red Hat OpenShift Container Platform 4.17: Ironic content for Red Hat OpenShift Container Platform 4.18: Logging Subsystem for Red Hat OpenShift: Power monitoring for Red Hat OpenShift: Red Hat OpenShift Dev Spaces: Red Hat Zero Trust Workload Identity Manager:

Exploit Probability

EPSS
0.79%
Percentile
51.44%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.