CVE-2026-39825 - Vulnerability Details

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Published: 2026-05-07

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

ReverseProxy in Go's net/http/httputil does not honor the urlmaxqueryparams limit set via GODEBUG when sanitizing query strings. As a result, a request can carry a large number of query parameters while only a subset is processed by Rewrite or Director logic. The excess parameters are silently forwarded to the upstream server, allowing an attacker to inject hidden data that bypasses the proxy's sanitization routine. This flaw represents improper input validation (CWE‑20) and can lead to confidentiality or integrity violations by exposing hidden query values or enabling unauthorized request manipulation.

Affected Systems

All releases of the Go standard library that include the net/http/httputil ReverseProxy implementation and do not contain a specific fix for this issue. Applications that rely on the default ReverseProxy behavior without custom sanitization or input validation are potentially affected.

Risk and Exploitability

The vulnerability can be exploited by forging an HTTP request with more query parameters than the configured urlmaxqueryparams value; the attacker can embed hidden parameters that survive sanitization. While EPSS is not available and the issue is not listed in CISA KEV, the simplicity of the exploit and the fact that query‑parameter limits are often set to high values suggest a non‑trivial risk. Without an official patch operators must mitigate by enforcing their own limits at the application or edge layer and monitoring for future fixes in Go releases.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Go standard library

net/http/httputil

unaffected

Version	Status	Constraints
`0`	affected	< 1.25.10
`1.26.0-0`	affected	< 1.26.3

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Implement application‑level validation that limits the number of query parameters in a request before passing it to ReverseProxy, rejecting or trimming requests that exceed that limit.
Configure the edge or ingress layer to reject or truncate requests with excessive query parameters, ensuring that the upstream receives only the expected parameters.
Monitor the Go standard library changelog for a fix addressing this behavior and update the runtime when a patch becomes available.

Generated by OpenCVE AI on May 7, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://go.dev/cl/770541
https://go.dev/issue/78948
https://groups.google.com/g/golang-announce/c/qcCIEXso47M
https://pkg.go.dev/vuln/GO-2026-4976

History

Thu, 07 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Thu, 07 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Title		ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
References		https://go.dev/cl/770541 https://go.dev/issue/78948 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4976

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-05-07T19:41:18.453Z

Updated: 2026-05-07T19:41:18.453Z

Reserved: 2026-04-07T18:13:03.527Z

Link: CVE-2026-39825

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-07T20:16:43.390

Modified: 2026-05-07T20:38:04.860

Link: CVE-2026-39825

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T22:00:12Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object