Skip to content

[BUG] Incorrect URL duplication and modified path when running template with query parameters #6689

New issue
New issue
Open
Open
[BUG] Incorrect URL duplication and modified path when running template with query parameters#6689
Labels
Status: StaleThis issue/PR has been inactive for a while and may be closed soon if no further activity occType: BugInconsistencies or issues which will cause an issue or problem for users or implementors.
@crazyMarky

Description

@crazyMarky
crazyMarky
opened on Dec 11, 2025

Is there an existing issue for this?

  • I have searched the existing issues.

Current Behavior

When using Nuclei to scan a URL containing query parameters, Nuclei unexpectedly duplicates parameters and modifies the request path before sending it. This behavior occurs even with a simple template and does not reflect the original target URL provided by the user.

This appears to be an internal request-building bug in nuclei v3.6.0.

Expected Behavior

Issue Description

When using Nuclei to scan a URL containing query parameters, Nuclei unexpectedly duplicates parameters and modifies the request path before sending it. This behavior occurs even with a simple template and does not reflect the original target URL provided by the user.

This appears to be an internal request-building bug in nuclei v3.6.0.

Steps to Reproduce

Run the following command:

nuclei -u "http://127.0.0.1:8081/aaa/bbb?a=1&b=2" \
  -t /Users/huimingliao/Documents/code/CyberStrikeAI/test.yaml \
  -debug \
  -proxy http://127.0.0.1:8080

Template (test.yaml):

id: path-test

info:
  name: Path Test
  author: you
  severity: info

requests:
  - raw:
      - |
        GET {{Path}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: test-nuclei
        Connection: close

Actual Behavior

Nuclei prints the following (excerpt):

Image

[INF] [path-test] Dumped HTTP request for http://127.0.0.1:8081/aaa/bbb/aaa?a=1&a=1&b=2&b=2

GET /aaa/bbb/aaa?a=1&a=1&b=2&b=2 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: test-nuclei

Unexpected issues observed:

The original request path /aaa/bbb becomes /aaa/bbb/aaa.

Query parameters (a=1, b=2) are duplicated.

Final request URL differs from both:

the target provided via -u

the path defined in the template

This happens even though the template only defines {{BaseURL}}/aaa.

Expected Behavior

Nuclei should build the request as:

GET /aaa HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: test-nuclei

Specifically:

{{BaseURL}} should resolve to the root of the provided URL (http://127.0.0.1:8081)

path components should not be merged with the user-specified path

query parameters should not be duplicated or re-attached to template-generated paths unless explicitly defined

Additional Notes

This issue occurs even when running without Burp or any proxy logic.
The debug output itself shows Nuclei constructing an incorrect request before it reaches the proxy layer, which confirms the bug is internal to Nuclei request building.

Attachments (Raw Output Excerpt)
[INF] [path-test] Dumped HTTP request for http://127.0.0.1:8081/aaa/bbb/aaa?a=1&a=1&b=2&b=2

GET /aaa/bbb/aaa?a=1&a=1&b=2&b=2 HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: test-nuclei
Connection: close
Accept-Encoding: gzip

Steps To Reproduce

nuclei -u "http://127.0.0.1:8081/aaa/bbb?a=1&b=2"
-t /Users/huimingliao/Documents/code/CyberStrikeAI/test.yaml
-debug
-proxy http://127.0.0.1:8080

Relevant log output



Environment


Nuclei version: v3.6.0
Templates version: v10.3.5
OS: macOS (Apple Silicon, M1 Pro)
Command used: see reproduction steps above


Anything else?


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    Status: StaleThis issue/PR has been inactive for a while and may be closed soon if no further activity occType: BugInconsistencies or issues which will cause an issue or problem for users or implementors.
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions