CVE-2026-39825

medium

Published 2026-05-07 · Modified 2026-05-11

CVSS v3

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2

—

VIR risk

5.3

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Predictions

Exploit likelihood

63%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-39825.html

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-39825

vendor Authored 2026-05-27

Vendor advisory: security@golang.org — https://pkg.go.dev/vuln/GO-2026-4976

vendor Authored 2026-05-27

Vendor advisory: security@golang.org — https://groups.google.com/g/golang-announce/c/qcCIEXso47M

vendor Authored 2026-05-27

Vendor advisory: security@golang.org — https://go.dev/cl/770541

OS impact

OS	Version	Status	Fixed in
debian	trixie	affected
debian	bullseye	affected
debian	bookworm	affected
debian	forky	fixed	`1.25.10-1`
debian	sid	fixed	`1.25.10-1`
sles		affected

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	stdlib	`>=1.26.0-0,<1.26.3`	`1.25.10`

Application impact

Vendor	Product	Versions	Fixed
golang	go	`{"endExcluding":"1.25.10"}`	`1.25.10`
google	gcp

References

Verify integrity in audit chain (admin only). AS-IS.