CVE-2025-58186: HTTP Cookie Parsing DoS Vulnerability

CVE-2025-58186 Overview

CVE-2025-58186 is a denial-of-service vulnerability in the Go standard library's net/http package. While HTTP headers are bounded by a default 1MB limit, the parser does not cap the number of individual cookies extracted from the Cookie header. An attacker can submit a request containing many minimally-sized cookies such as a=; to force the server to allocate a large number of cookie structs. The resulting memory pressure can degrade service availability on affected Go HTTP servers.

Critical Impact

Remote unauthenticated attackers can trigger excessive memory allocation in Go HTTP servers by sending crafted Cookie headers, leading to availability impact.

Affected Products

• Go standard library net/http package (see Go Vulnerability Report GO-2025-4012)
• HTTP servers built on affected Go runtime versions
• Applications using http.Request.Cookies() or related cookie parsing functions

Discovery Timeline

• 2025-10-29 - CVE-2025-58186 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-58186

Vulnerability Analysis

The Go net/http package parses the Cookie request header into a slice of *http.Cookie structs. The parser enforces a 1MB cap on total header size but does not impose an upper bound on the number of cookie entries produced from that header. Each parsed cookie allocates a struct containing name, value, and metadata fields. When attackers pack the header with thousands of two-character entries, the allocator scales linearly with the entry count rather than with the byte size of the header.

This is a resource exhaustion issue [CWE-770] that affects only the availability dimension. It does not expose data or allow code execution. The Go security team addressed the issue via change list CL 709855 tracked in issue 75672.

Root Cause

The root cause is missing input validation on the cardinality of cookies parsed from a single Cookie header. The fix introduces a hard limit on the number of cookies the parser will produce regardless of header byte size.

Attack Vector

An unauthenticated remote attacker sends an HTTP request with a Cookie header populated by many short entries separated by semicolons. A single 1MB header can contain hundreds of thousands of a=; pairs. Each pair forces struct allocation during request parsing. Repeated requests amplify the memory pressure and can push the server toward out-of-memory termination or garbage collector thrashing.

No authentication, user interaction, or special network position is required. Any endpoint reachable over HTTP that parses cookies is exposed.

Detection Methods for CVE-2025-58186

Indicators of Compromise

• HTTP requests containing Cookie headers approaching the 1MB limit with abnormally high counts of short name-value pairs
• Repeated requests from a single source with payload patterns such as a=; b=; c=; repeated thousands of times
• Go application processes exhibiting rapid heap growth correlated with inbound HTTP traffic
• Out-of-memory kills or sustained garbage collection cycles on Go-based services

Detection Strategies

• Inspect web server, load balancer, and WAF logs for Cookie header lengths above operational baselines
• Count semicolon delimiters per Cookie header at the proxy layer and alert when counts exceed a sane threshold (for example, 100)
• Correlate process memory metrics from runtime.MemStats with per-client request rates to identify amplification patterns

Monitoring Recommendations

• Track Go runtime heap allocation rate and pause times alongside HTTP request volume
• Enable structured logging for request header sizes and cookie counts on internet-facing services
• Alert on traffic spikes from individual source IPs against endpoints that parse cookies prior to authentication

How to Mitigate CVE-2025-58186

Immediate Actions Required

• Upgrade to the patched Go toolchain version identified in the Golang announcement and rebuild affected binaries
• Inventory all Go-based HTTP services and confirm the runtime version compiled into each binary
• Deploy WAF or reverse proxy rules to cap inbound Cookie header size and entry count until binaries are rebuilt

Patch Information

The fix is delivered through Go change list 709855 referenced in Go issue 75672 and tracked as GO-2025-4012. Rebuild Go applications against the patched toolchain to apply the bounded cookie parsing behavior. Additional discussion is available on the Openwall oss-security list.

Workarounds

• Place a reverse proxy in front of Go services and configure a maximum Cookie header length well below 1MB
• Reject requests at the edge when the number of cookie pairs exceeds the application's legitimate maximum
• Apply per-source rate limiting on endpoints that process cookies before authentication
• Set conservative request body and header timeouts on http.Server to limit the duration of malicious requests

# Example nginx configuration to cap Cookie header size at the edge
http {
    large_client_header_buffers 4 8k;
    client_header_buffer_size 1k;

    map $http_cookie $cookie_too_long {
        default 0;
        "~^.{8192,}$" 1;
    }

    server {
        if ($cookie_too_long) {
            return 400;
        }
    }
}