CVE-2026-39825: Go ReverseProxy Lacks Query Parameter Limit, Enabling Injection and Resource Exhaustion Risks

A confirmed vulnerability in the Go standard library exposes applications using `net/http/httputil.ReverseProxy` to parameter injection and resource exhaustion attacks. Tracked as CVE-2026-39825 (GO-2026-4976), the flaw stems from a failure to enforce limits on the number of query parameters forwarded during proxy operations. The issue affects Go 1.26.2 and is addressed in the subsequent 1.26.3 release.

The vulnerability lies in how `ReverseProxy` handles incoming HTTP requests. Without a defined ceiling on query parameters, an attacker can transmit requests containing an arbitrary number of parameters, potentially injecting malicious content into the proxied request stream or overwhelming backend services with computational load. The risk extends to downstream systems that assume query parameter counts remain bounded, as they may lack defenses against malformed or inflated inputs.

Applications directly in scope include any service running Go 1.26.2 that utilizes `ReverseProxy` for request forwarding—particularly web servers, API gateways, and microservices acting as intermediaries. The vulnerability carries a CVSS-level severity that warrants priority attention, especially in environments where reverse proxies handle traffic from external or untrusted sources. Patching to Go 1.26.3 resolves the parameter limit enforcement gap, and organizations are advised to audit their deployments for usage of the affected package.