Parameter Exposure Vulnerability in ReverseProxy by Go
CVE-2026-39825

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Net/http/httputil
Vendor: CVE Published:; 7 May 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-39825?

The ReverseProxy component in Go has a notable vulnerability that allows it to forward queries containing hidden parameters that are not visible to the Rewrite functions. When integrated with a Rewrite function or a Director function capable of parsing query parameters, ReverseProxy sanitizes forwarded requests by removing parameters not parsed by url.ParseQuery. However, it fails to respect the limits set by GODEBUG=urlmaxqueryparams=N, which can lead to the exposure of query parameters that should remain hidden. This situation can allow malicious actors to exploit exposed parameters, potentially leading to unauthorized access or other security risks.

Affected Version(s)

net/http/httputil 0 < 1.25.10

net/http/httputil 1.26.0-0 < 1.26.3

References

https://go.dev/cl/770541

https://go.dev/issue/78948

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39825 Data

JSON