CVE Tools
Sign in

CVE-2026-39825

ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil

Published: May 7, 2026Updated: May 13, 2026 Sources: CVE List NVD BDUNVD-CWE-noinfo
NVD MITRE
5.3CVSSMEDIUM
EPSS Score
0.4%
Top 69.4%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

NVD-CWE-noinfo

Affected Products

net/http/httputilGo standard library
Library
OSS Libraries / go
gogolangOSS Libraries
GoThe Go ProjectOSS Libraries
go standard libraryoss-projectUSOSS Librariesaka golang standard library, net/http, crypto/x509, html/template
golangoss-projectUSOSS Libraries
the go projectoss-projectOSS Librariesaka go, golang-google-protobuf, crypto

Exploitability

Official Patch Available

References

https://go.dev/cl/770541
go.dev
https://go.dev/issue/78948
go.dev
https://groups.google.com/g/golang-announce/c/qcCIEXso47M
groups.google.com
and 1 more references View all →

Timeline

Published
May 7, 2026
Last Updated
May 13, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-39825 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows