HTTP Package Vulnerability in Go's Net/HTTP Due to Improper Line Terminator Handling
CVE-2025-22871

Currently unrated

Key Information:

Vendor

Go Standard Library

Status
Net/http/internal
Vendor
CVE Published:
8 April 2025

Badges

📈 Score: 208📰 News Worthy

What is CVE-2025-22871?

CVE-2025-22871 is a vulnerability found within the Go Standard Library, specifically in the net/http package. This package is crucial for implementing HTTP clients and servers in Go applications, enabling the establishment of network communications over the web. The vulnerability arises from improper handling of line terminators, particularly allowing a bare line feed (LF) in chunked data. This issue could be particularly detrimental for organizations using Go-based web servers, as it may facilitate request smuggling attacks, potentially leading to severe consequences for application integrity and data confidentiality.

Technical Details

This vulnerability stems from how the net/http package processes chunked transfer encoding, which is a method used to encode data sent over HTTP in a form that allows streaming. The flaw allows the acceptance of a malformed request characterized by a bare LF in the chunk-size line, which is not correctly handled. This mismanagement of line terminators could enable attackers to manipulate HTTP requests in a way that bypasses security measures, resulting in ambiguous interpretations by different components (such as proxies or servers) that do not adhere to standard line terminator practices.

Potential impact of CVE-2025-22871

  1. Request Smuggling Vulnerabilities: Attackers could exploit this vulnerability to perform request smuggling, allowing them to manipulate the intended sequence of requests between a client and server. This could lead to unauthorized access to backend services or sensitive information.

  2. Bypassing Security Controls: The ability to craft requests that are misinterpreted by intermediary servers could allow malicious users to bypass firewalls, web application firewalls (WAFs), and other security features, leading to further exploits against an organization's infrastructure.

  3. Data Integrity and Confidentiality Risks: Successful exploitation of this vulnerability may result in data breaches or the unauthorized access and modification of sensitive data, jeopardizing organizational integrity and compliance with data protection regulations.

Affected Version(s)

net/http/internal 0 < 1.23.8

net/http/internal 1.24.0-0 < 1.24.2

News Articles

favicon imageALT Linux Packages

ALT Linux - All branches - errata ALT-PU-2025-5058-2 - Information

EN EN RULast changes Packages Images Maintainers Fixes Tasks About repository Wiki Mailing ListVulnerabilitiesCVE-2025-22871 Last changesPackagesMaintainersFixesTasksAbout repositoryWikiMailing...

favicon imageALT Linux Packages

ALT Linux - All branches - errata ALT-PU-2025-5091-2 - Information

EN EN RULast changes Packages Images Maintainers Fixes Tasks About repository Wiki Mailing ListVulnerabilitiesCVE-2025-22871 Last changesPackagesMaintainersFixesTasksAbout repositoryWikiMailing...

favicon imageALT Linux Packages

ALT Linux - All branches - errata ALT-PU-2025-5056-2 - Information

EN EN RULast changes Packages Images Maintainers Fixes Tasks About repository Wiki Mailing ListVulnerabilitiesCVE-2025-22871 Last changesPackagesMaintainersFixesTasksAbout repositoryWikiMailing...

References

https://go.dev/cl/652998
https://go.dev/issue/71988
https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk

Timeline

  • Vulnerability published

  • 📰

    First article discovered by VulDB

  • Vulnerability Reserved

Credit

Jeppe Bonde Weikop
.
CVE-2025-22871 : HTTP Package Vulnerability in Go's Net/HTTP Due to Improper Line Terminator Handling