net/http: lack of limit when parsing cookies can cause memory exhaustion (CVE-2025-58186)

[nicholashusin]

Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.

Thanks to jub0bs for reporting this issue.

This is CVE-2025-58186 and Go issue https://go.dev/issue/75672.

---

This is a PRIVATE issue for CVE-2025-58186, tracked in http://b/442560983 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/2720.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #75706 (for 1.24), #75707 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/709840 mentions this issue: [release-branch.go1.24] net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed

[gopherbot]

Change https://go.dev/cl/709849 mentions this issue: [release-branch.go1.25] net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed

[gopherbot]

Change https://go.dev/cl/709855 mentions this issue: net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed