CVE-2025-22871

April 9, 2025, 8:02 p.m.

None
No Score

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Product(s) Impacted

Product Versions
net_http
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://go.dev/cl/652998
https://go.dev/issue/71988
https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
https://pkg.go.dev/vuln/GO-2025-3563
http://www.openwall.com/lists/oss-security/2025/04/04/4

Tags

security@golang.org
2025-04-08
CVE-2025-22871

Timeline

Published: April 8, 2025, 8:15 p.m.
Last Modified: April 9, 2025, 8:02 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@golang.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.