CVE-2025-22871CRITICAL≥ 0, < 2025.1.02025-04-08
CVE-2025-22871 [CRITICAL] CWE-1395 RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
ghsaosv