We generally treat malformed value pairs in URL queries as a soft error, ignoring the invalid pair but accepting others. For example, the following (playground link) accepts the value for the key b even as it rejects the invalid one for a:

u, _ := url.Parse("http://go.dev/?a=%x&b=ok")
v, err := url.ParseQuery(u.RawQuery)
fmt.Println(v, err)
// map[b:[ok]] invalid URL escape "%x"

ReverseProxy should not include unparseable query parameters when forwarding a request, since this is a vector for parameter smuggling. In Go 1.17, we changed URL parsing to reject keys containing a semicolon (https://go.dev/issue/25192). If a Go 1.17 ReverseProxy forwards a request to a backend which treats semicolons as a parameter separator (as Go 1.16 and earlier did), the proxy and backend may disagree on the parameter values of the request.

Thanks to Oxeye for pointing out this issue: https://www.oxeye.io/blog/golang-parameter-smuggling-attack