Description
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ReverseProxy in Go's net/http/httputil does not honor the urlmaxqueryparams limit set via GODEBUG when sanitizing query strings. As a result, a client can send a request containing more query parameters than permitted, and the proxy will discriminate only the ones parsed by url.ParseQuery, silently forwarding the rest. This flaw represents improper input validation and can let an attacker inject hidden data that bypasses rewrite or director logic, potentially leaking sensitive information or altering upstream behavior.

Affected Systems

Every Go runtime that ships with the unpatched ReverseProxy implementation is affected. Applications that use the standard net/http/httputil ReverseProxy without adding their own input‑validation layer or custom sanitization are susceptible. The flaw is present in all releases before any future patch that addresses this behavior.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and an EPSS score of less than 1 % suggests a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is network where an attacker crafts HTTP requests containing excessive query parameters sent to the reverse proxy. The exploit is local to the proxy’s request handling, requiring no privileged state beyond typical network access. Because the flaw hinges on an unbounded query parameter list, the practical impact depends on the downstream service’s handling of the forwarded parameters, but it can result in hidden data being processed or unexpected upstream actions.

Generated by OpenCVE AI on May 13, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Add application‑level checks that count query parameters and reject or trim requests exceeding a defined threshold prior to invoking ReverseProxy.
  • Configure upstream ingress or edge devices to filter requests with an excessive number of parameters, ensuring only the expected parameters reach ReverseProxy.
  • Keep the Go standard library current and monitor release notes for a fix; once an updated runtime is available, upgrade to eliminate the flaw.

Generated by OpenCVE AI on May 13, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 13 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang go
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Vendors & Products Golang
Golang go

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library net/http
Vendors & Products Go Standard Library
Go Standard Library net/http

Sat, 09 May 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Sat, 09 May 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Title ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
References

Subscriptions

Go Standard Library Net/http
Golang Go
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-08T21:30:08.872Z

Reserved: 2026-04-07T18:13:03.527Z

Link: CVE-2026-39825

cve-icon Vulnrichment

Updated: 2026-05-08T16:46:32.001Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T20:16:43.390

Modified: 2026-05-13T16:58:56.390

Link: CVE-2026-39825

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:45:04Z

Weaknesses