CVE-2026-39825

MEDIUM

ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil

Title source: cna

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

References (4)

Core 4

Core References

https://go.dev/cl/770541

https://go.dev/issue/78948

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

https://pkg.go.dev/vuln/GO-2026-4976

Scores

CVSS v3 5.3

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

Status published

Products (3)

Go standard library/net/http/httputil < 1.25.10

Go standard library/net/http/httputil 1.26.0-0 - 1.26.3

golang/go < 1.25.10

Published May 07, 2026

Tracked Since May 08, 2026