CVE-2025-58186
Description
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go's net/http package lacks a limit on the number of cookies parsed, allowing an attacker to cause memory exhaustion by sending many small cookies.
Vulnerability
CVE-2025-58186 is a denial-of-service vulnerability in Go's net/http package. While HTTP headers have a default size limit of 1 MB, there is no limit on the number of cookies parsed from a single request. An attacker can send a large number of very small cookies (e.g., "a=;") causing the server to allocate many structs, leading to excessive memory consumption [4].
Exploitation
The attack is network-based and requires no authentication. An attacker simply sends HTTP requests containing many small cookies to a vulnerable Go HTTP server. The server parses each cookie, allocating memory for each, potentially exhausting available memory and causing a denial of service [1][2].
Impact
Successful exploitation results in memory exhaustion, leading to denial of service. The vulnerability has a CVSS v3 score of 5.3 (Medium) [1][2].
Mitigation
The fix is included in Go 1.25.2 and Go 1.24.8, which introduce a default limit of 3000 cookies per request, adjustable via the httpcookiemaxnum GODEBUG option. Users should update to these versions [2][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.