The vulnerability in Go's net/http/httputil ReverseProxy occurs because it forwards query parameters that exceed the parsing limit set by url.ParseQuery, controlled by GODEBUG=urlmaxqueryparams. While Rewrite or Director functions parse and sanitize query parameters, they do not see parameters beyond this limit, but ReverseProxy still forwards them. This discrepancy allows hidden query parameters to be forwarded without detection by the proxy's rewriting logic, leading to inconsistent HTTP request interpretation (CWE-444). This can potentially be leveraged for HTTP Request/Response Smuggling attacks. The affected versions include Go standard library versions up to 1.26.0-0. There is no CVSS score or official remediation level provided, and no patch links are available.

The impact is that an attacker can craft HTTP requests with hidden query parameters that bypass the proxy's Rewrite or Director functions, potentially leading to inconsistent request handling. This inconsistency can be exploited to smuggle HTTP requests or responses, which may affect downstream services relying on the proxy for request validation or modification. However, no known exploits have been reported, and the exact impact depends on the deployment context and use of Rewrite or Director functions.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should be cautious when using ReverseProxy with Rewrite or Director functions that parse query parameters. Consider limiting the number of query parameters or implementing additional validation to detect hidden parameters. Monitor vendor communications for updates and patches addressing this issue.