Bug 2467823 (CVE-2026-39825)

Summary: CVE-2026-39825 net/http/httputil: golang: net/http/httputil: ReverseProxy forwards hidden query parameters, potentially bypassing security controls
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, akostadi, akoudelk, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, bbrownin, bdettelb, bniver, bparees, chfoley, ckandaga, cmah, crizzo, dakwon, dhanak, dkeler, dmayorov, doconnor, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, eglynn, ehelms, erezende, fdeutsch, flucifre, ggainey, gmeno, gparvin, groman, hasun, ibolton, jaharrin, jbalunas, jburrell, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jpasqual, jprabhak, jpretori, jschluet, juwatts, kingland, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, lgamliel, lhh, lphiri, lwan, manissin, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhess, mhulan, mnovotny, mwringe, nboldt, ngough, nmoumoul, nyancey, oaljalju, ometelka, oramraz, osousa, pahickey, pantinor, pcreech, peholase, pgaikwad, pjindal, psrna, ptisnovs, pvasanth, rchan, rekumar, rfreiman, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rojacob, sakbas, sausingh, sbratsla, sdawley, sfeifer, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, suppawar, swoodman, syedriko, teagle, thason, tmalecek, tsedmik, tzivkovi, vereddy, veshanka, vkarehfa, vle, vvoronko, vwilson, watson-tool-maintainers, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `net/http/httputil` package, specifically within the `ReverseProxy` component. This vulnerability allows the `ReverseProxy` to forward query parameters that are not visible to `Rewrite` functions. This occurs because the `ReverseProxy` does not correctly consider the `url.ParseQuery` limit on the total number of query parameters. A remote attacker could exploit this to send hidden query parameters, potentially bypassing security policies or controls implemented by `Rewrite` functions, leading to information disclosure or unexpected behavior.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-07 20:02:00 UTC
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Comment 2 errata-xmlrpc 2026-06-01 00:43:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:22120 https://access.redhat.com/errata/RHSA-2026:22120

Comment 3 errata-xmlrpc 2026-06-01 01:00:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:22121 https://access.redhat.com/errata/RHSA-2026:22121

Comment 4 errata-xmlrpc 2026-06-01 01:04:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:22112 https://access.redhat.com/errata/RHSA-2026:22112