CVE-2025-22871 | THREATINT

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

PUBLISHED Reserved 2025-01-08 | Published 2025-04-08 | Updated 2026-05-12 | Assigner Go

Problem types

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Product status

Default status

unaffected

Any version before 1.23.8

affected

1.24.0-0 (semver) before 1.24.2

affected

Credits

Jeppe Bonde Weikop

References

www.openwall.com/lists/oss-security/2025/04/04/4

cert-portal.siemens.com/productcert/html/ssa-783943.html

go.dev/cl/652998

go.dev/issue/71988

groups.google.com/g/golang-announce/c/Y2uBTVKjBQk

pkg.go.dev/vuln/GO-2025-3563

cve.org (CVE-2025-22871)

nvd.nist.gov (CVE-2025-22871)

Download JSON

help @ threatint.eu