OESA-2025-2827
- Source
- https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-2827
- Import Source
- https://repo.openeuler.org/security/data/osv/OESA-2025-2827.json
- JSON Data
- https://api.osv.dev/v1/vulns/OESA-2025-2827
- Upstream
- Published
- 2025-12-12T12:20:43Z
- Modified
- 2025-12-12T12:44:51.383578Z
- Summary
- golang security update
- Details
-
.
Security Fix(es):
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.(CVE-2025-47912)
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.(CVE-2025-58186)
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.(CVE-2025-61729)
- Database specific
{ "severity": "High" }- References