CVE-2025-22871 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-22871

CVE-2025-22871

April 08, 2025

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Affected Packages

https://github.com/golang/go.git (GITHUB):

Affected version(s) >=go1.0.1 <go1.23.8

Fix Suggestion:

Update to version go1.23.8

https://github.com/golang/go.git (GITHUB):

Affected version(s) >=go1.24.0 <go1.24.2

Fix Suggestion:

Update to version go1.24.2

Related Resources (11)

https://github.com/roadrunner-server/roadrunner/commit/f269279ee87d0b88127741cad1042389af7605fa

https://github.com/roadrunner-server/roadrunner

https://github.com/roadrunner-server/roadrunner/issues/2166

https://go.dev/issue/71988

https://nvd.nist.gov/vuln/detail/CVE-2025-22871

http://www.openwall.com/lists/oss-security/2025/04/04/4

https://github.com/golang/go/issues/71988

https://pkg.go.dev/vuln/GO-2025-3563

https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk

https://github.com/roadrunner-server/roadrunner/releases/tag/v2025.1.0

https://go.dev/cl/652998

Do you need more information?

CVSS v4

Base Score:

9.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Dependency on Vulnerable Third-Party Component

EPSS

Base Score:

0.17