CVE-2026-39825

EUVD-2026-28425

07.05.2026, 20:16

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

golang-1.15

bullseye

vulnerable

golang-1.19

bookworm

vulnerable

golang-1.24

trixie

vulnerable

golang-1.25

forky	vulnerable
sid	1.25.10-1 fixed

golang-1.26

forky	vulnerable
sid	1.26.3-1 fixed

Vulnerability Media Exposure

[GERMAN] Golang Go: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren, Cross-Site-Scripting-Angriffe durchzuführen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-07T22:00:00+00:00

References

https://go.dev/cl/770541

https://go.dev/issue/78948

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

https://pkg.go.dev/vuln/GO-2026-4976