CVE-2025-22871HTTP Request Smuggling in Standard Library NET Http Internal

CWE-444HTTP Request SmugglingCWE-1395Dependency on Vulnerable Third-Party Component13 documents7 sources
Severity
9.1CRITICALNVD
EPSS
0.1%
top 73.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
GO Standard Library NET Http InternalGithub.com Filebrowser Filebrowser V2Github.com Traefik Traefik V2+2 more
Timeline
PublishedApr 8
Latest updateNov 13

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages5 packages

CVEListV5go_standard_library/net_http_internal1.24.0-01.24.2+1
Packagistspiral/roadrunner< 2025.1.0
Gogithub.com/traefik_traefik_v33.4.0-rc13.4.0-rc2+1

🔴Vulnerability Details

9
OSV
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency2025-11-13
GHSA
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency2025-11-13
GHSA
Traefik affected by Go HTTP Request Smuggling Vulnerability2025-04-18
OSV
Traefik affected by Go HTTP Request Smuggling Vulnerability2025-04-18
OSV
CVE-2025-22871: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines2025-04-08

📋Vendor Advisories

3
Microsoft
Request smuggling due to acceptance of invalid chunked data in net/http2025-04-08
Red Hat
net/http: Request smuggling due to acceptance of invalid chunked data in net/http2025-04-08
Debian
CVE-2025-22871: golang-1.15 - The net/http package improperly accepts a bare LF as a line terminator in chunke...2025
CVE-2025-22871 — HTTP Request Smuggling | cvebase