CVE-2025-22871
published 2025-04-08CVE-2025-22871: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server…
PriorityP351critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.72%
49.4th percentile
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.24 1.24.2-1 (forky) | golang-1.24 1.24.2-1 (forky) |
| debian | golang-1.19 | < golang-1.24 1.24.2-1 (forky) | golang-1.24 1.24.2-1 (forky) |
| debian | golang-1.24 | < golang-1.24 1.24.2-1 (forky) | golang-1.24 1.24.2-1 (forky) |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.45.2 | 2.45.2 |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.24 | 2.11.24 |
| github.com | traefik_traefik_v3 | >= 0 < 3.3.6 | 3.3.6 |
| github.com | traefik_traefik_v3 | >= 3.4.0-rc1 < 3.4.0-rc2 | 3.4.0-rc2 |
| go_standard_library | net_http_internal | < 1.23.8 | 1.23.8 |
| go_standard_library | net_http_internal | >= 1.24.0-0 < 1.24.2 | 1.24.2 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_gcc_11.2.0-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.22.7-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.24.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| paloalto | pan-os | — | — |
| spiral | roadrunner | >= 0 < 2025.1.0 | 2025.1.0 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_msrc8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2018-6594 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Palo Alto
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
vendor_paloalto·2025-07-09·CVSS 7.5
CVE-2023-38546 [HIGH] PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
PAN-SA-2025-0012 Informational Bulletin: OSS CVEs Fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2018-6594 This CVE is fixed in PAN-OS 10.2.17, 11.1.11, 11.2.8, 12.1.2, and all later versions of PAN-OS CVE-2018-25032 This CVE is fixed in PAN-OS 10.1.7, 10.2.2, and all later versions of PAN-OS CVE-2019-5827 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13750 This CVE is fixed in PAN-OS 11.1.4, and all later versions of PAN-OS. CVE-2019-13751 This CVE is fixed in PAN-OS 11.1.4, and all later versions
Microsoft
Request smuggling due to acceptance of invalid chunked data in net/http
vendor_msrc·2025-04-08·CVSS 8.2
CVE-2025-22871 [CRITICAL] Request smuggling due to acceptance of invalid chunked data in net/http
Request smuggling due to acceptance of invalid chunked data in net/http
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: htt
Red Hat
net/http: Request smuggling due to acceptance of invalid chunked data in net/http
vendor_redhat·2025-04-08·CVSS 9.1
CVE-2025-22871 [CRITICAL] CWE-444 net/http: Request smuggling due to acceptance of invalid chunked data in net/http
net/http: Request smuggling due to acceptance of invalid chunked data in net/http
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
Statement: Red Hat Satellite is rated as Low severity for this vulnerability. However, other affected components remain Mode
Debian
CVE-2025-22871: golang-1.15 - The net/http package improperly accepts a bare LF as a line terminator in chunke...
vendor_debian·2025·CVSS 9.1
CVE-2025-22871 [CRITICAL] CVE-2025-22871: golang-1.15 - The net/http package improperly accepts a bare LF as a line terminator in chunke...
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Scope: local
bullseye: open
OSV
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
osv·2025-11-13·CVSS 9.1
CVE-2025-22871 [CRITICAL] File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
See https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.
GHSA
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
ghsa·2025-11-13·CVSS 9.1
CVE-2025-22871 [CRITICAL] CWE-1395 File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
See https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.
GHSA
Traefik affected by Go HTTP Request Smuggling Vulnerability
ghsa·2025-04-18·CVSS 9.1
CVE-2025-22871 [CRITICAL] CWE-1395 Traefik affected by Go HTTP Request Smuggling Vulnerability
Traefik affected by Go HTTP Request Smuggling Vulnerability
### Summary
net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x < 1.23.8
More Details: [CVE-2025-22871](https://nvd.nist.gov/vuln/detail/CVE-2025-22871)
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.24
- https://github.com/traefik/traefik/releases/tag/v3.3.6
- https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2
OSV
Traefik affected by Go HTTP Request Smuggling Vulnerability
osv·2025-04-18·CVSS 9.1
CVE-2025-22871 [CRITICAL] Traefik affected by Go HTTP Request Smuggling Vulnerability
Traefik affected by Go HTTP Request Smuggling Vulnerability
### Summary
net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x < 1.23.8
More Details: [CVE-2025-22871](https://nvd.nist.gov/vuln/detail/CVE-2025-22871)
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.24
- https://github.com/traefik/traefik/releases/tag/v3.3.6
- https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2
OSV
CVE-2025-22871: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines
osv·2025-04-08·CVSS 9.1
CVE-2025-22871 [CRITICAL] CVE-2025-22871: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
OSV
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
osv·2025-04-08
CVE-2025-22871 [CRITICAL] RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
GHSA
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
ghsa·2025-04-08
CVE-2025-22871 [CRITICAL] CWE-1395 RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
OSV
Request smuggling due to acceptance of invalid chunked data in net/http
osv·2025-04-08
CVE-2025-22871 Request smuggling due to acceptance of invalid chunked data in net/http
Request smuggling due to acceptance of invalid chunked data in net/http
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
No detection rules found.
No public exploits indexed.
2025-04-08
Published