2 matches found
AZL-71255 CVE-2025-61729 affecting package golang 1.26.0-1
Within HostnameError.Error, when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can...
AZL-69254 CVE-2025-58186 affecting package golang 1.26.0-1
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption...