CVE-2025-61726

high

Red Hat

CVSS v3 Base Score

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.0%

Exploitation probability in 30 days

Top 91% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

None

Availability

High

Published: January 28, 2026 (106 days ago)

Last Modified: January 28, 2026

Vendor: Red Hat

Fix Available: ✓ Yes

Description

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

CWE

CWE-770

Affected Products

AMQ ClientsAssisted Installer for Red Hat OpenShift Container Platform 2Builds for Red Hat OpenShiftcert-manager Operator for Red Hat OpenShiftCompliance OperatorConfidential Compute AttestationCryostat 4Custom Metric Autoscaler operator for Red Hat OpenshiftDeployment Validation OperatorExternalDNS Operator

Fix Status

✅ Fix Available

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 go.dev 🔗 go.dev

CVE-2025-61726

Vulnerability Report

Description

CWE

Affected Products

Fix Status

References