CVE Catalog

CVE-2025-22871

Critical
Published: Translated: NVD NIST

Summary

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Risk Assessment

Organizations may be exposed to request smuggling attacks, potentially leading to unauthorized access to data or execution of unwanted operations on the server.

Recommendation

It is recommended to update the net/http package and monitor server configurations to ensure they do not accept a bare LF as part of chunk-ext.

Original NVD description (English source)

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS