CVE-2025-58186: 
cAdvisor vulnerability analysis and mitigation

CVE-2025-58186 is a security vulnerability discovered in Go's net/http package that affects versions before Go 1.24.8 and from Go 1.25.0 before Go 1.25.2. The vulnerability was disclosed on October 29, 2025, and involves a memory exhaustion issue in the HTTP cookie parsing functionality. Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed did not have a limit, making the system vulnerable to memory consumption attacks (Ubuntu Security, Golang Announce).

The vulnerability exists in the net/http package's cookie parsing mechanism. While HTTP headers are limited to 1MB by default, there was no limit on the number of individual cookies that could be parsed. An attacker can exploit this by sending numerous small cookies (such as 'a=;') to force the HTTP server to allocate a large amount of structs, leading to excessive memory consumption. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (Rapid7).

The primary impact of this vulnerability is on system availability. By exploiting this vulnerability, attackers can cause large memory consumption on HTTP servers, potentially leading to resource exhaustion and degraded service performance. The vulnerability affects multiple components and functions within the net/http package, including Client.Do, Client.Get, Client.Head, Client.Post, Client.PostForm, and various other HTTP-related functions (Go Packages).

The vulnerability has been fixed in Go versions 1.24.8 and 1.25.2. The fix implements a limit of 3000 cookies that can be parsed, which can be adjusted using the httpcookiemaxnum GODEBUG option. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Golang Announce).