The vulnerability affects the Go programming language's HTTP cookie parsing. In normal circumstances, HTTP servers have a default limit of 1MB for parsing cookies. However, due to a bug in the code, there is no limit on the number of cookies that can be parsed. An attacker can exploit this by sending a large number of small cookies, causing the server to allocate excessive memory.
You're affected if you use Go versions 1.17 or later (due to the bug being introduced in version 1.17). Check with: go version command
Note: This vulnerability is specific to Go and not related to other programming languages or software products.
Upgrade to Go version 1.18 or later.
- Apply the patch from https://golang.org/doc/cve-2025-4012
- If immediate upgrade isn't possible, consider using a temporary fix:
- Set http.ParseCookieHeader to return immediately if it encounters an invalid cookie header (this can be done by modifying the Go source code or using a third-party library).
- Implement rate limiting on HTTP requests with cookies.