## Go ReverseProxy Flaw Exposes Rewrite Logic to Query Parameter Bypass (CVE-2026-39825) A security flaw in Go's `net/http/httputil.ReverseProxy` allows proxied requests containing excessive query parameters to bypass user-defined `Rewrite` function filtering, according to a GitHub issue tracking the vulnerability as CVE-2026-39825. The issue stems from a mismatch between how `ReverseProxy` sanitizes query parameters and how Go's `net/url.ParseQuery` enforces parameter limits. By default, `ParseQuery` refuses to parse URLs exceeding 10,000 query parameters—a threshold controllable via the `GODEBUG=urlmaxqueryparams=N` environment variable. When a proxied request surpasses this limit, `ReverseProxy` forwards the request to the `Rewrite` function without properly handling the unparseable parameters. This means the `Rewrite` function may observe an incomplete or empty query string while the original request's parameters still reach the backend, effectively bypassing intended filtering or logging logic. The proposed remediation involves setting `ProxyRequest.Out.URL.RawQuery` to an empty string when the parameter limit is exceeded, forcing a clean slate for the `Rewrite` function to work with. Users can then manually restore parameters if needed. This ensures the `Rewrite` function's filtering and transformation logic operates on a consistent, predictable state rather than silently failing to observe query data. The vulnerability is tracked in the PUBLIC vulnerability track, indicating broad visibility and potential impact on any Go application relying on `ReverseProxy` with custom request rewriting logic. Developers using this component are advised to monitor Go security announcements for the official patch and evaluate whether their `Rewrite` implementations make assumptions about query parameter visibility. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: Go, CVE-2026-39825, ReverseProxy, query parameters, security vulnerability - **Credibility**: unverified - **Published**: 2026-04-25 00:54:08 - **ID**: 76989 - **URL**: https://whisperx.ai/en/intel/76989