CVE-2025-22871
CriticalSummary
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Risk Assessment
Organizations may be exposed to request smuggling attacks, potentially leading to unauthorized access to data or execution of unwanted operations on the server.
Recommendation
It is recommended to update the net/http package and monitor server configurations to ensure they do not accept a bare LF as part of chunk-ext.
Original NVD description (English source)
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

