Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for net/http/httputil by Go standard library
CVE-2026-39825 (GCVE-0-2026-39825)
Vulnerability from nvd – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:30
VLAI
Title
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
Summary
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http/httputil |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:46:43.329507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:30:08.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http/httputil",
"product": "net/http/httputil",
"programRoutines": [
{
"name": "cleanQueryParams"
},
{
"name": "ReverseProxy.ServeHTTP"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery\u0027s limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query \"a1=x\u0026a2=x\u0026...\u0026a10000=x\u0026hidden=y\" can forward the parameter \"hidden=y\" while hiding it from the proxy\u0027s Rewrite function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.453Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/770541"
},
{
"url": "https://go.dev/issue/78948"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4976"
}
],
"title": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39825",
"datePublished": "2026-05-07T19:41:18.453Z",
"dateReserved": "2026-04-07T18:13:03.527Z",
"dateUpdated": "2026-05-08T21:30:08.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-2880 (GCVE-0-2022-2880)
Vulnerability from nvd – Published: 2022-10-14 00:00 – Updated: 2025-02-13 16:32
VLAI
Title
Incorrect sanitization of forwarded query parameters in net/http/httputil
Summary
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Severity
No CVSS data available.
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http/httputil |
Affected:
0 , < 1.18.7
(semver)
Affected: 1.19.0-0 , < 1.19.2 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/54663"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/432976"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-1038"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http/httputil",
"product": "net/http/httputil",
"programRoutines": [
{
"name": "ReverseProxy.ServeHTTP"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.18.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.19.2",
"status": "affected",
"version": "1.19.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Gal Goldstein (Security Researcher, Oxeye)"
},
{
"lang": "en",
"value": "Daniel Abeles (Head of Research, Oxeye)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-25T11:09:33.806Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/54663"
},
{
"url": "https://go.dev/cl/432976"
},
{
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-1038"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Incorrect sanitization of forwarded query parameters in net/http/httputil"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-2880",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-08-17T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:32:39.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-39825 (GCVE-0-2026-39825)
Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 21:30
VLAI
Title
ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil
Summary
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http/httputil |
Affected:
0 , < 1.25.10
(semver)
Affected: 1.26.0-0 , < 1.26.3 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:46:43.329507Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:30:08.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http/httputil",
"product": "net/http/httputil",
"programRoutines": [
{
"name": "cleanQueryParams"
},
{
"name": "ReverseProxy.ServeHTTP"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.25.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.26.3",
"status": "affected",
"version": "1.26.0-0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery\u0027s limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query \"a1=x\u0026a2=x\u0026...\u0026a10000=x\u0026hidden=y\" can forward the parameter \"hidden=y\" while hiding it from the proxy\u0027s Rewrite function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T19:41:18.453Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/770541"
},
{
"url": "https://go.dev/issue/78948"
},
{
"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4976"
}
],
"title": "ReverseProxy forwards queries with more than urlmaxqueryparams parameters in net/http/httputil"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-39825",
"datePublished": "2026-05-07T19:41:18.453Z",
"dateReserved": "2026-04-07T18:13:03.527Z",
"dateUpdated": "2026-05-08T21:30:08.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-2880 (GCVE-0-2022-2880)
Vulnerability from cvelistv5 – Published: 2022-10-14 00:00 – Updated: 2025-02-13 16:32
VLAI
Title
Incorrect sanitization of forwarded query parameters in net/http/httputil
Summary
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.
Severity
No CVSS data available.
CWE
- CWE-444 - Inconsistent Interpretation of HTTP Requests
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Go standard library | net/http/httputil |
Affected:
0 , < 1.18.7
(semver)
Affected: 1.19.0-0 , < 1.19.2 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:52:59.582Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/54663"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/432976"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2022-1038"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/http/httputil",
"product": "net/http/httputil",
"programRoutines": [
{
"name": "ReverseProxy.ServeHTTP"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.18.7",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.19.2",
"status": "affected",
"version": "1.19.0-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Gal Goldstein (Security Researcher, Oxeye)"
},
{
"lang": "en",
"value": "Daniel Abeles (Head of Research, Oxeye)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-25T11:09:33.806Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/54663"
},
{
"url": "https://go.dev/cl/432976"
},
{
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU"
},
{
"url": "https://pkg.go.dev/vuln/GO-2022-1038"
},
{
"url": "https://security.gentoo.org/glsa/202311-09"
}
],
"title": "Incorrect sanitization of forwarded query parameters in net/http/httputil"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-2880",
"datePublished": "2022-10-14T00:00:00.000Z",
"dateReserved": "2022-08-17T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:32:39.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}