GO-2026-4976

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2026-4976

Import Source

https://vuln.go.dev/ID/GO-2026-4976.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2026-4976

Aliases

BIT-golang-2026-39825
CVE-2026-39825

Related

CGA-hgj8-xv45-c75x

Published

2026-05-07T19:21:40Z

Modified

2026-05-11T08:11:26.883618096Z

Summary

ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil

Details

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2026-4976",
    "review_status": "REVIEWED"
}

References

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.10

Introduced

1.26.0-0

Fixed

1.26.3

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "ReverseProxy.ServeHTTP",
                "cleanQueryParams"
            ],
            "path": "net/http/httputil"
        }
    ]
}

Database specific

source

"https://vuln.go.dev/ID/GO-2026-4976.json"