Last Modified: Jul 10, 2026
Affected Product(s):
BIG-IP (all modules)
Known Affected Versions:
17.5.1.6
Opened: Jun 29, 2026 Severity: 3-Major
After upgrading to BIG-IP 17.5.1.6, HTTP requests containing unencoded double quotes (") in the URI query string are rejected by APM (access.c framework). This behavior results from stricter RFC 3986 enforcement introduced by fixes 2259061 and 2259065. Applications that previously functioned now fail if requests include URIs that are non-compliant with RFC 3986.
1. Existing applications (e.g., Oracle WebLogic) fail to function after the upgrade. 2. Requests are rejected before reaching backend servers. 3. This issue prevents upgrading to version 17.5.1.6. 4. Results in production outages or degraded functionality. 5. Workarounds lead to performance degradation.
1. BIG-IP version: 17.5.1.6 2. APM enabled: Access Policy Manager is active. 3. Request characteristics: Contains unencoded special characters (e.g., " in query strings). 4. Traffic flow: Processed through the APM access policy (access.c). Example Trigger: /test?option2="method"&option3="POST"
Apply an iRule to encode unsupported characters (e.g., double quotes) before APM processing: when HTTP_REQUEST priority 100 { set my_uri [HTTP::uri] if { $my_uri contains "\"" } { HTTP::uri [string map { "\"" "%22" } $my_uri] } }
None