net/http: memory exhaustion in Request.ParseForm (CVE-2025-61726)

[neild]

When parsing a URL-encoded form net/http may allocate an unexpected amount of
memory when provided a large number of key-value pairs. This can result in a
denial of service due to memory exhaustion.

Thanks to jub0bs for reporting this issue.

This is CVE-2025-61726 and Go issue https://go.dev/issue/77101.

---

This is a PRIVATE issue for CVE-2025-61726, tracked in http://b/457464435 and fixed by https://go-internal-review.git.corp.google.com/c/go/+/3020.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #77107 (for 1.24), #77108 (for 1.25).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/736723 mentions this issue: [release-branch.go1.25] net/url: add urlmaxqueryparams GODEBUG to limit the number of query parameters

[gopherbot]

Change https://go.dev/cl/736702 mentions this issue: [release-branch.go1.24] net/url: add urlmaxqueryparams GODEBUG to limit the number of query parameters

[gopherbot]

Change https://go.dev/cl/736707 mentions this issue: [release-branch.go1.26] net/url: add urlmaxqueryparams GODEBUG to limit the number of query parameters

[gopherbot]

Change https://go.dev/cl/736712 mentions this issue: net/url: add urlmaxqueryparams GODEBUG to limit the number of query parameters