CVE-2025-22871

Published Apr 8, 2025

Last updated 14 days ago

CVSS critical 9.1
Golang

Overview

Description
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Source
security@golang.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Social media

Hype score
Not currently trending

  1. syftでSBOM作ってgrypeで脆弱性を出力してるのだけど、脆弱性があるファイルを出力できないのかな。 go-moduleに含まれるstdlibでCVE-2025-22871のCriticalが検出されたのはわかったけど、何を更新すれば良いのか。 curlでダウンロードしたコマンドを片っ端から更新してくしかないのかな。。。

    @jay34986

    21 Apr 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔴 Traefik, HTTP Request Smuggling, #CVE-2025-22871 (Critical) https://t.co/B621YFEwAq

    @dailycve

    19 Apr 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Lambda Watchdog detected a new UNKNOWN severity CVE 🚨 CVE-2025-22871 was detected in the latest AWS Lambda image scan affecting the stdlib package in 25 images. Check the full report 👉 https://t.co/6EUGaPyRZk #AWS #Lambda #CVE #CloudSecurity #Serverless

    @LambdaWatchdog

    9 Apr 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-22871 The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is use… https://t.co/CrlIiBnrcD

    @CVEnew

    9 Apr 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. New post from https://t.co/uXvPWJy6tj (CVE-2025-22871 | Google Go 1.23/1.24 net-http request smuggling) has been published on https://t.co/SFZDdM8H8V

    @WolfgangSesin

    2 Apr 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🎊 Go 1.24.2 and 1.23.8 are released! 🔐 Security: Includes a security fix for net/http (CVE-2025-22871). 📣 Announcement: https://t.co/ZvslQsqZmB 📦 Download: https://t.co/SO9mNulAfF #golang https://t.co/gZrxjFKfEB

    @golang

    1 Apr 2025

    22073 Impressions

    131 Retweets

    521 Likes

    26 Bookmarks

    5 Replies

    7 Quotes

References