CVE-2025-22871
CRITICAL9.1EPSS 0.29%Request smuggling due to acceptance of invalid chunked data in net/http
Published: 4/8/2025Modified: 2/17/2026
Also known as:GHSA-g9pc-8g42-g6vqRHSA-2025:10271RHSA-2025:10291RHSA-2025:10295RHSA-2025:10768RHSA-2025:10782RHSA-2025:11352RHSA-2025:11678RHSA-2025:11682RHSA-2025:12831RHSA-2025:12850RHSA-2025:15291RHSA-2025:21328RHSA-2025:8476RHSA-2025:8477RHSA-2025:8478RHSA-2025:8539RHSA-2025:8601RHSA-2025:8632RHSA-2025:8633RHSA-2025:8634RHSA-2025:8665RHSA-2025:8666RHSA-2025:8667RHSA-2025:8680RHSA-2025:8682RHSA-2025:8685RHSA-2025:8689RHSA-2025:8737RHSA-2025:8915RHSA-2025:8916RHSA-2025:8918RHSA-2025:8974RHSA-2025:8975RHSA-2025:8982RHSA-2025:8983RHSA-2025:8984RHSA-2025:9017RHSA-2025:9018RHSA-2025:9019RHSA-2025:9020RHSA-2025:9025RHSA-2025:9043RHSA-2025:9059RHSA-2025:9060RHSA-2025:9061RHSA-2025:9062RHSA-2025:9063RHSA-2025:9064RHSA-2025:9065RHSA-2025:9067RHSA-2025:9069RHSA-2025:9070RHSA-2025:9078RHSA-2025:9106RHSA-2025:9142RHSA-2025:9143RHSA-2025:9144RHSA-2025:9145RHSA-2025:9146RHSA-2025:9147RHSA-2025:9148RHSA-2025:9149RHSA-2025:9150RHSA-2025:9151RHSA-2025:9156RHSA-2025:9172RHSA-2025:9177RHSA-2025:9199RHSA-2025:9200RHSA-2025:9205RHSA-2025:9206RHSA-2025:9207RHSA-2025:9279RHSA-2025:9311RHSA-2025:9312RHSA-2025:9313RHSA-2025:9317RHSA-2025:9319RHSA-2025:9623RHSA-2025:9634RHSA-2025:9635RHSA-2025:9637RHSA-2025:9638RHSA-2025:9639RHSA-2025:9640RHSA-2025:9641RHSA-2025:9642RHSA-2025:9711RHSA-2025:9712RHSA-2025:9713RHSA-2025:9714RHSA-2025:9715RHSA-2025:9756RHSA-2025:9844RHSA-2025:9845RHSA-2025:9975RHSA-2025:9986BIT-golang-2025-22871CGA-grqw-v5x4-56m6GO-2025-3563RHBA-2025:14817
Description
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Affected packages (6)
- Bitnami/golangfrom 0, < 1.23.8, >= 1.24.0-0, < 1.24.2
- Debian/golang-1.15from 0
- Debian/golang-1.19from 0
- Debian/golang-1.24from 0, < 1.24.2-1
- Go/stdlibfrom 0, < 1.23.8, >= 1.24.0-0, < 1.24.2
- Packagist/spiral/roadrunnerfrom 0, < 2025.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-22871
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-22871
- PATCHhttps://github.com/roadrunner-server/roadrunner
- PATCHhttps://go.dev/cl/652998
- REPORThttps://go.dev/issue/71988
- WEBhttps://cert-portal.siemens.com/productcert/html/ssa-783943.html
- WEBhttps://github.com/roadrunner-server/roadrunner/commit/f269279ee87d0b88127741cad1042389af7605fa
- WEBhttps://github.com/roadrunner-server/roadrunner/issues/2166
- WEBhttps://github.com/roadrunner-server/roadrunner/releases/tag/v2025.1.0
- WEBhttps://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
- WEBhttps://pkg.go.dev/vuln/GO-2025-3563
- WEBhttp://www.openwall.com/lists/oss-security/2025/04/04/4