Go net/url Package Memory Exhaustion Vulnerability in Query Parameter Parsing

A denial-of-service vulnerability has been identified in the net/url package of Go. The issue arises because the package does not limit the number of query parameters in a URL query. While query parameter size is generally constrained by the maximum request header size, the net/http.Request.ParseForm method can handle large URL-encoded forms. This can lead to excessive memory consumption when parsing forms with many unique query parameters. The vulnerability affects Go versions prior to 1.24.12, as well as versions 1.25.0 through 1.25.6.

Impact

Exploitation of this vulnerability can cause significant memory exhaustion, leading to a denial-of-service condition.

Remediation

Users can update to Go versions 1.25.6 or 1.24.12, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.