Go ReverseProxy Query Parameter Forwarding Vulnerability

A vulnerability exists in the Go standard library's net/http/httputil package, specifically in the ReverseProxy component. This issue arises because ReverseProxy can forward query parameters that are not visible to the Rewrite function. When a Rewrite function or a Director function that parses query parameters is used, ReverseProxy sanitizes the request by removing query parameters not parsed by url.ParseQuery. However, it fails to consider ParseQuery's limit on the number of query parameters, controlled by GODEBUG=urlmaxqueryparams=N. As a result, ReverseProxy can inadvertently forward hidden query parameters. For instance, a query with 10,000 visible parameters could still forward a 'hidden' parameter without it being detected by the Rewrite function.

Impact

Exploitation of this vulnerability allows for the unintentional forwarding of query parameters that could be used maliciously or to manipulate the behavior of the application receiving the proxied request.

Reproduction

To reproduce this vulnerability, use the ReverseProxy's ServeHTTP method with a Rewrite function or a Director function that parses query parameters. Send a request that includes more query parameters than the ParseQuery limit allows, such as 10,000 visible parameters plus an additional hidden parameter. The ReverseProxy will forward the hidden parameter without it being processed by the Rewrite function.

Remediation

Users can upgrade to Go versions 1.26.3 or 1.25.10, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.