CVE-2025-22871

CRITICAL 9.1

Request smuggling due to acceptance of invalid chunked data in net/http

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Vendor	go standard library
Product	net/http/internal
Published	Apr 8, 2025
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for go standard library net/http/internal

Be the first to know when new critical vulnerabilities affecting go standard library net/http/internal are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Go standard library / net/http/internal

0 < 1.23.8 1.24.0-0 < 1.24.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

go.dev: https://go.dev/cl/652998 go.dev: https://go.dev/issue/71988 groups.google.com: https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk pkg.go.dev: https://pkg.go.dev/vuln/GO-2025-3563 openwall.com: http://www.openwall.com/lists/oss-security/2025/04/04/4 cert-portal.siemens.com: https://cert-portal.siemens.com/productcert/html/ssa-783943.html

Credits

Jeppe Bonde Weikop