CVE-2026-39825

EUVD-2026-28425

07.05.2026, 20:16

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 30%

Affected Products (NVD)

Vendor	Product	Version
golang	go	𝑥 < 1.25.10
golang	go	1.26.0 ≤ 𝑥 < 1.26.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-1.15

bullseye

postponed

golang-1.19

bookworm

no-dsa

golang-1.24

trixie

no-dsa

golang-1.25

forky	1.25.11-1 fixed
sid	1.25.11-1 fixed

golang-1.26

forky	1.26.4-1 fixed
sid	1.26.4-1 fixed

Amazon Linux Releases

Amazon Package

Release

amazon-cloudwatch-agent

Amazon Linux 2	0:1.300066.2-2.amzn2 fixed
Amazon Linux 2023	0:1.300066.2-2.amzn2023 fixed

amazon-ecr-credential-helper

Amazon Linux 2023

0:0.12.0-3.amzn2023

fixed

compat-golang-github-cpuguy83-md2man-2-devel

Amazon Linux 2023

0:2.0.2-24.amzn2023.0.7

fixed

containerd

Amazon Linux 2023

0:2.2.3-1.amzn2023.0.2

fixed

containerd-debuginfo

Amazon Linux 2023

0:2.2.3-1.amzn2023.0.2

fixed

containerd-debugsource

Amazon Linux 2023

0:2.2.3-1.amzn2023.0.2

fixed

containerd-stress

Amazon Linux 2023

0:2.2.3-1.amzn2023.0.2

fixed

containerd-stress-debuginfo

Amazon Linux 2023

0:2.2.3-1.amzn2023.0.2

fixed

credentials-fetcher

Amazon Linux 2023

0:2.0.1-1.amzn2023.0.5

fixed

docker

Amazon Linux 2023

0:25.0.14-1.amzn2023.0.6

fixed

docker-debuginfo

Amazon Linux 2023

0:25.0.14-1.amzn2023.0.6

fixed

docker-debugsource

Amazon Linux 2023

0:25.0.14-1.amzn2023.0.6

fixed

ecs-init

Amazon Linux 2023

0:1.103.2-1.amzn2023

fixed

golang

Amazon Linux 2	0:1.25.10-1.amzn2.0.1 fixed
Amazon Linux 2023	0:1.25.10-1.amzn2023.0.1 fixed

golang-bin

Amazon Linux 2	0:1.25.10-1.amzn2.0.1 fixed
Amazon Linux 2023	0:1.25.10-1.amzn2023.0.1 fixed

golang-docs

Amazon Linux 2	0:1.25.10-1.amzn2.0.1 fixed
Amazon Linux 2023	0:1.25.10-1.amzn2023.0.1 fixed

golang-github-burntsushi-toml

Amazon Linux 2023

0:1.5.0-1.amzn2023.0.1

fixed

golang-github-burntsushi-toml-debuginfo

Amazon Linux 2023

0:1.5.0-1.amzn2023.0.1

fixed

golang-github-burntsushi-toml-debugsource

Amazon Linux 2023

0:1.5.0-1.amzn2023.0.1

fixed

golang-github-burntsushi-toml-devel

Amazon Linux 2023

0:1.5.0-1.amzn2023.0.1

fixed

golang-github-burntsushi-toml-test

Amazon Linux 2023

0:0.2.0-8.amzn2023.0.3

fixed

golang-github-burntsushi-toml-test-debuginfo

Amazon Linux 2023

0:0.2.0-8.amzn2023.0.3

fixed

golang-github-burntsushi-toml-test-debugsource

Amazon Linux 2023

0:0.2.0-8.amzn2023.0.3

fixed

golang-github-burntsushi-toml-test-devel

Amazon Linux 2023

0:0.2.0-8.amzn2023.0.3

fixed

golang-github-cpuguy83-md2man

Amazon Linux 2023

0:2.0.2-24.amzn2023.0.7

fixed

golang-github-cpuguy83-md2man-debuginfo

Amazon Linux 2023

0:2.0.2-24.amzn2023.0.7

fixed

golang-github-cpuguy83-md2man-debugsource

Amazon Linux 2023

0:2.0.2-24.amzn2023.0.7

fixed

golang-github-cpuguy83-md2man-devel

Amazon Linux 2023

0:2.0.2-24.amzn2023.0.7

fixed

golang-misc

Amazon Linux 2	0:1.25.10-1.amzn2.0.1 fixed
Amazon Linux 2023	0:1.25.10-1.amzn2023.0.1 fixed

golang-shared

Amazon Linux 2	0:1.25.10-1.amzn2.0.1 fixed
Amazon Linux 2023	0:1.25.10-1.amzn2023.0.1 fixed

golang-src

Amazon Linux 2	0:1.25.10-1.amzn2.0.1 fixed
Amazon Linux 2023	0:1.25.10-1.amzn2023.0.1 fixed

golang-tests

Amazon Linux 2	0:1.25.10-1.amzn2.0.1 fixed
Amazon Linux 2023	0:1.25.10-1.amzn2023.0.1 fixed

golist

Amazon Linux 2	0:0.10.1-10.amzn2.0.13 fixed
Amazon Linux 2023	0:0.10.4-12.amzn2023.0.9 fixed

golist-debuginfo

Amazon Linux 2	0:0.10.1-10.amzn2.0.13 fixed
Amazon Linux 2023	0:0.10.4-12.amzn2023.0.9 fixed

golist-debugsource

Amazon Linux 2023

0:0.10.4-12.amzn2023.0.9

fixed

nerdctl

Amazon Linux 2	0:2.2.2-1.amzn2.0.2 fixed
Amazon Linux 2023	0:2.2.2-1.amzn2023.0.2 fixed

nerdctl-debuginfo

Amazon Linux 2

0:2.2.2-1.amzn2.0.2

fixed

oci-add-hooks

Amazon Linux 2023

0:0-0.1.20200504git268e3bb.amzn2023.0.11

fixed

oci-add-hooks-debuginfo

Amazon Linux 2023

0:0-0.1.20200504git268e3bb.amzn2023.0.11

fixed

oci-add-hooks-debugsource

Amazon Linux 2023

0:0-0.1.20200504git268e3bb.amzn2023.0.11

fixed

runc

Amazon Linux 2023

0:1.3.4-5.amzn2023.0.2

fixed

runc-debuginfo

Amazon Linux 2023

0:1.3.4-5.amzn2023.0.2

fixed

runc-debugsource

Amazon Linux 2023

0:1.3.4-5.amzn2023.0.2

fixed

runfinch-finch

Amazon Linux 2023

0:1.17.0-1.amzn2023.0.2

fixed

soci-snapshotter

Amazon Linux 2023

0:0.13.0-1.amzn2023.0.3

fixed

Vulnerability Media Exposure

[GERMAN] Golang Go: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Golang Go ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren, Cross-Site-Scripting-Angriffe durchzuführen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.
Published: 2026-05-07T22:00:00+00:00

References

https://go.dev/cl/770541

https://go.dev/issue/78948

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

https://pkg.go.dev/vuln/GO-2026-4976