Medium

Go net/http/httputil ReverseProxy query parameter sanitization bypass

IdentifiersCVE-2026-39825CWE-444

A flaw in Go's net/http/httputil ReverseProxy allowed query parameters to be forwarded to backend services even though they were not visible to proxy-side Rewrite logic, or to a Director function that parses query parameters. ReverseProxy sanitizes forwarded requests by removing parameters not parsed by url.ParseQuery, but it did not account for url.ParseQuery's total-parameter limit, controlled by GODEBUG=urlmaxqueryparams=N. An attacker could supply a query string with enough parameters to exceed that limit, causing trailing parameters to remain unparsed and therefore invisible to Rewrite or Director logic while still being forwarded upstream. The documented example is a query of the form "a1=x&a2=x&...&a10000=x&hidden=y", where "hidden=y" may be forwarded to the backend while being hidden from the proxy's request-rewrite processing.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

This vulnerability creates a discrepancy between what the reverse proxy's security or routing logic sees and what the backend application actually receives. In affected deployments, an attacker may be able to smuggle hidden query parameters past proxy-side validation, rewriting, filtering, or policy enforcement and have those parameters processed by the upstream service. The primary impact is bypass of proxy-enforced request handling assumptions, which can lead to unauthorized backend behavior depending on how the application interprets forwarded query parameters.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, avoid relying on ReverseProxy Rewrite logic or Director-side query parsing as the sole enforcement point for security decisions when attacker-controlled query strings are forwarded. Enforce strict limits on query parameter counts before proxy processing, reject requests with excessive numbers of parameters, and perform validation again at the backend for security-sensitive parameters. Review any deployment using ReverseProxy with Rewrite functions or Director functions that parse query parameters.

Remediation

Patch, then assume compromise.

Upgrade Go to a fixed release that corrects ReverseProxy handling of query parameters exceeding the url.ParseQuery limit. The provided context states the issue was fixed by preventing ReverseProxy from forwarding parameters that exceed the ParseQuery limit. The referenced security releases are Go 1.26.3 and Go 1.25.10.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GolangGoapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

go dev blogNews

Apr 24, 2026

net/http/httputil: ReverseProxy forwards queries with more than urlmaxqueryparams query parameters · Issue #78948 · golang/go

A vulnerability in Go's ReverseProxy where query parameters exceeding url.ParseQuery's maximum-parameter limit could be forwarded even though they were not visible to Rewrite or Director logic, potentially bypassing sanitization or security checks.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-39825

NVD

nvd.nist.gov/vuln/detail/CVE-2026-39825

pkg.go.dev/vuln/GO-2026-4976

Release Notes

groups.google.com/g/golang-announce/c/qcCIEXso47M

Issue Tracking

go.dev/issue/78948