Go ReverseProxy Flaw CVE-2026-39825 Leaks Query Parameters

Executive Summary

A vulnerability in Go's net/http package, tracked as CVE-2026-39825, allows the ReverseProxy handler to forward HTTP requests containing query parameters that are not visible to Rewrite functions or custom Director functions. This can lead to unintended leakage of sensitive data or bypass of security logic that depends on parameter sanitization. The flaw stems from how ReverseProxy interacts with url.ParseQuery and its configurable limit on the total number of query parameters, controlled via the GODEBUG environment variable. The Go team has released a patch in the upstream repository, and all users of Go's standard library ReverseProxy are advised to update.

Technical Analysis

The ReverseProxy handler in Go's net/http package is designed to forward incoming HTTP requests to a backend server, optionally modifying the request via Rewrite or Director functions. According to the commit message in the Go source repository (CL 770541), the proxy sanitizes the forwarded request to remove query parameters that are not parsed by url.ParseQuery. However, ParseQuery has a built-in limit on the total number of query parameters it will parse, which can be adjusted using the GODEBUG environment variable (specifically GODEBUG=u).

When this limit is exceeded, ParseQuery silently ignores additional parameters. The ReverseProxy implementation, prior to the fix, would then forward those unparsed parameters to the backend, bypassing any sanitization or inspection that the Rewrite or Director function might have performed. This means that a carefully crafted request with an excessive number of query parameters could smuggle data past security checks that rely on Rewrite to filter or modify parameters.

The vulnerability is particularly dangerous in environments where ReverseProxy is used as a gateway or API gateway, and where Rewrite functions are employed to strip sensitive parameters (e.g., API keys, session tokens) before forwarding to internal services. An attacker could append additional parameters beyond the ParseQuery limit, causing the proxy to forward the original sensitive parameters — which may have been intended to be removed — to the backend.

No CVSS score has been officially published for CVE-2026-39825 as of this writing. The Go team has not disclosed a specific severity rating, but the nature of the flaw — bypassing security-critical rewrite logic — warrants a high severity classification for deployments that rely on Rewrite for parameter sanitization.

Mitigations & Recommendations

Organizations using Go's net/http ReverseProxy should take the following steps:

1. Update Go to the patched version. The fix is included in the Go repository as of commit 770541. The Go team is expected to include this fix in the next stable release. Monitor the official Go release notes for the specific version number.

2. Audit existing ReverseProxy configurations. Review any Rewrite or Director functions that parse or sanitize query parameters. Determine whether they depend on url.ParseQuery behavior and whether the parameter limit could be exploited.

3. Set an explicit GODEBUG value for u to a low number if your application does not require high parameter counts, reducing the attack surface. However, note that this may break legitimate requests with many parameters.

4. Consider alternative proxy solutions for high-security environments where parameter sanitization is critical. The Go standard library's ReverseProxy is not designed as a security boundary; additional validation at the application layer is recommended.