oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-22871 : Go net/http: request smuggling through invalid chunked data

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 4 Apr 2025 13:53:35 -0700
https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk/m/cs_6qIK5BAAJ
announces the release of Go versions 1.24.2 and 1.23.8, including a
security fix for:


    net/http: request smuggling through invalid chunked data

    The net/http package accepted data in the chunked transfer encoding
    containing an invalid chunk-size line terminated by a bare LF.
    When used in conjunction with a server or proxy which incorrectly
    interprets a bare LF in a chunk extension as part of the extension,
    this could permit request smuggling.

    The net/http package now rejects chunk-size lines containing a bare LF.

    Thanks to Jeppe Bonde Weikop for reporting this issue.

    This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.


--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: