We began by creating a model with the community version to assess its capabilities. Once we confirmed that this tool met our needs, we opted for an enterprise license. Simply to benefit from tools that facilitate integration into our model and address specific requirements of our architecture in terms of security, data transformation, and authentication management.
Nicolas Gabetty
Senior Engineer / Coop Atlantique
CVE-2025-61726
Medium
· CVSS 7.5
Medium ImpactThis CVE can affect KrakenD under specific conditions. Review the affected versions below and upgrade if your deployment is exposed.
net/http and is exposed to this vulnerability
when processing incoming requests. Deployments that receive form-encoded POST requests
— or that have body transformation or validation plugins that trigger form parsing —
are most exposed. Standard JSON API traffic is not affected.Component
Go standard library (net/http)
Disclosed
Jan 16, 2026
CVSS Score
7.5
net/http package does not limit the number of key-value pairs parsed from
application/x-www-form-urlencoded request bodies. A client sending a request with
an extremely large number of form fields can cause the server to consume unbounded
memory while parsing the body, leading to denial of service.Community Edition
2.12.1
addresses this CVE
Affected CE versions
>= 2.0, < 2.12.1
Enterprise Edition
2.12.3
addresses this CVE
Affected EE versions
>= 2.0, < 2.12.3
Upgrade to the addressed version or later to remediate this vulnerability.
Stay up to date with KrakenD releases and important updates