Bug 2407250 (CVE-2025-58186) - CVE-2025-58186 golang.org/net/http: Lack of limit when parsing cookies can cause memory exhaustion in net/http
Summary: CVE-2025-58186 golang.org/net/http: Lack of limit when parsing cookies can ca...
Keywords:
Status: NEW
Alias: CVE-2025-58186
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-29 23:01 UTC by OSIDB Bzimport
Modified: 2026-01-03 08:28 UTC (History)
147 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-29 23:01:46 UTC 
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
Note You need to log in before you can comment on or make changes to this bug.