CVE-2026-39825
Description
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Go's ReverseProxy can forward hidden query parameters when the total number exceeds ParseQuery's limit, bypassing Rewrite functions.
Vulnerability
Overview
CVE-2026-39825 is a medium-severity vulnerability in Go's net/http/httputil.ReverseProxy. When the proxy is used with a Rewrite function or a Director function that parses query parameters, it sanitizes the forwarded request by removing parameters not parsed by url.ParseQuery. However, the proxy does not account for ParseQuery's limit on the total number of query parameters, which is controlled by the GODEBUG=urlmaxqueryparams=N setting [1][2].
Exploitation
Mechanism
An attacker can craft a query string containing more parameters than the ParseQuery limit (default 10000). For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can include a parameter (hidden=y) that exceeds the limit. The ParseQuery function ignores parameters beyond the limit, but ReverseProxy does not strip them from the forwarded request. This allows the hidden parameter to be forwarded to the backend server while remaining invisible to the proxy's Rewrite function [3].
Impact
A remote attacker who can send requests to the proxy can inject arbitrary query parameters that bypass the Rewrite function's processing. This could lead to unintended behavior on the backend, such as parameter pollution, access to hidden endpoints, or manipulation of application logic that relies on the proxy's rewriting. The vulnerability does not require authentication if the proxy is publicly accessible [2].
Mitigation
The vulnerability is fixed in Go versions 1.25.10 and 1.26.3 [1]. Users should upgrade to these versions or later. The fix ensures that ReverseProxy avoids forwarding parameters that exceed the ParseQuery limit. No workaround is available other than upgrading [3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- go.dev/cl/770541nvdPatch
- pkg.go.dev/vuln/GO-2026-4976nvdVendor Advisory
- go.dev/issue/78948nvdIssue Tracking
- groups.google.com/g/golang-announce/c/qcCIEXso47MnvdRelease Notes
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026