[go/release-branch.go1.24] [release-branch.go1.24] net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed
1 view
Skip to first unread message
Gopher Robot (Gerrit)
Oct 7, 2025, 2:00:55 PM (18 hours ago) Oct 7
to Nicholas Husin, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.24] net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed
When handling HTTP headers, net/http does not currently limit the number
of cookies that can be parsed. The only limitation that exists is for
the size of the entire HTTP header, which is controlled by
MaxHeaderBytes (defaults to 1 MB).
Unfortunately, this allows a malicious actor to send HTTP headers which
contain a massive amount of small cookies, such that as much cookies as
possible can be fitted within the MaxHeaderBytes limitation. Internally,
this causes us to allocate a massive number of Cookie struct.
For example, a 1 MB HTTP header with cookies that repeats "a=;" will
cause an allocation of ~66 MB in the heap. This can serve as a way for
malicious actors to induce memory exhaustion.
To fix this, we will now limit the number of cookies we are willing to
parse to 3000 by default. This behavior can be changed by setting a new
GODEBUG option: GODEBUG=httpcookiemaxnum. httpcookiemaxnum can be set to
allow a higher or lower cookie limit. Setting it to 0 will also allow an
infinite number of cookies to be parsed.
Thanks to jub0bs for reporting this issue.
For #75672
Fixes #75706
Fixes CVE-2025-58186
Change-Id: Ied58b3bc8acf5d11c880f881f36ecbf1d5d52622
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709840
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Files:
- M doc/godebug.md
- M src/internal/godebugs/table.go
- M src/net/http/cookie.go
- M src/net/http/cookie_test.go
- M src/runtime/metrics/doc.go
Change size: L
Delta: 5 files changed, 206 insertions(+), 75 deletions(-)
Branch: refs/heads/release-branch.go1.24
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Oct 7, 2025, 2:02:24 PM (18 hours ago) Oct 7
to Nicholas Husin, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.25] net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed
When handling HTTP headers, net/http does not currently limit the number
of cookies that can be parsed. The only limitation that exists is for
the size of the entire HTTP header, which is controlled by
MaxHeaderBytes (defaults to 1 MB).
Unfortunately, this allows a malicious actor to send HTTP headers which
contain a massive amount of small cookies, such that as much cookies as
possible can be fitted within the MaxHeaderBytes limitation. Internally,
this causes us to allocate a massive number of Cookie struct.
For example, a 1 MB HTTP header with cookies that repeats "a=;" will
cause an allocation of ~66 MB in the heap. This can serve as a way for
malicious actors to induce memory exhaustion.
To fix this, we will now limit the number of cookies we are willing to
parse to 3000 by default. This behavior can be changed by setting a new
GODEBUG option: GODEBUG=httpcookiemaxnum. httpcookiemaxnum can be set to
allow a higher or lower cookie limit. Setting it to 0 will also allow an
infinite number of cookies to be parsed.
Thanks to jub0bs for reporting this issue.
For #75672
Fixes #75707
Fixes CVE-2025-58186
Change-Id: Ied58b3bc8acf5d11c880f881f36ecbf1d5d52622
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Commit-Queue: Roland Shoemaker <brac...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709849
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
- M doc/godebug.md
- M src/internal/godebugs/table.go
- M src/net/http/cookie.go
- M src/net/http/cookie_test.go
- M src/runtime/metrics/doc.go
Change size: L
Delta: 5 files changed, 206 insertions(+), 75 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Oct 7, 2025, 2:23:25 PM (18 hours ago) Oct 7
to Nicholas Husin, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, Carlos Amedee, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
net/http: add httpcookiemaxnum GODEBUG option to limit number of cookies parsed
When handling HTTP headers, net/http does not currently limit the number
of cookies that can be parsed. The only limitation that exists is for
the size of the entire HTTP header, which is controlled by
MaxHeaderBytes (defaults to 1 MB).
Unfortunately, this allows a malicious actor to send HTTP headers which
contain a massive amount of small cookies, such that as much cookies as
possible can be fitted within the MaxHeaderBytes limitation. Internally,
this causes us to allocate a massive number of Cookie struct.
For example, a 1 MB HTTP header with cookies that repeats "a=;" will
cause an allocation of ~66 MB in the heap. This can serve as a way for
malicious actors to induce memory exhaustion.
To fix this, we will now limit the number of cookies we are willing to
parse to 3000 by default. This behavior can be changed by setting a new
GODEBUG option: GODEBUG=httpcookiemaxnum. httpcookiemaxnum can be set to
allow a higher or lower cookie limit. Setting it to 0 will also allow an
infinite number of cookies to be parsed.
Thanks to jub0bs for reporting this issue.
For #75672
Fixes CVE-2025-58186
Change-Id: Ied58b3bc8acf5d11c880f881f36ecbf1d5d52622
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709855
Reviewed-by: Carlos Amedee <car...@golang.org>
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
Files:
- M doc/godebug.md
- M src/internal/godebugs/table.go
- M src/net/http/cookie.go
- M src/net/http/cookie_test.go
- M src/runtime/metrics/doc.go
Change size: L
Delta: 5 files changed, 206 insertions(+), 75 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages