CVE-2025-22871: Request smuggling due to acceptance of invalid chunked data in net/http

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Classification

CVE ID: CVE-2025-22871

Problem Types

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Affected Products

Vendor: Go standard library

Product: net/http/internal

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 0.42% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22871
https://go.dev/cl/652998
https://go.dev/issue/71988
https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
https://pkg.go.dev/vuln/GO-2025-3563

Timeline

2025-04-05 14:30:24 UTC
Tenable Plugins

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.23 (SUSE-SU-2025:1141-1)
2025-04-08 14:00:36 UTC
Tenable Plugins

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.24 (SUSE-SU-2025:1153-1)
2025-04-08 21:40:15 UTC
CVE

Request smuggling due to acceptance of invalid chunked data in net/http
2025-04-17 11:30:43 UTC
Tenable Plugins

Amazon Linux 2 : golang (ALAS-2025-2825)
2025-04-18 20:15:27 UTC
Github Advisory Database (Go)

[github.com/traefik/traefik/v3] Traefik affected by Go HTTP Request Smuggling Vulnerability
2025-04-18 20:15:27 UTC
Github Advisory Database (Go)

[github.com/traefik/traefik/v2] Traefik affected by Go HTTP Request Smuggling Vulnerability
2025-04-19 12:30:32 UTC
Tenable Plugins

CBL Mariner 2.0 Security Update: msft-golang (CVE-2025-22871)