CVE-2025-22871
Request Smuggling vulnerability in stdlib
What is CVE-2025-22871 About?
The Go `net/http` package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This flaw can enable request smuggling attacks when a `net/http` server is used in conjunction with a frontend server that incorrectly accepts bare LF as part of a chunk extension. This vulnerability can lead to session hijacking, cache poisoning, and other client-side attacks.
Affected Software
Technical Details
The Go `net/http` package's HTTP/1.1 parser has a discrepancy in how it interprets line endings within chunked transfer encoding, specifically in the chunk-size line. While HTTP/1.1 generally requires CRLF (carriage return followed by line feed) as a line terminator, the `net/http` package improperly accepts a bare LF (line feed). This becomes problematic when the Go server is deployed behind a reverse proxy or load balancer (frontend server) that is more strict and correctly interprets chunked data. An attacker can craft a request where the Go server sees one logical request, but the frontend server sees two (or more) requests due to the differing parsing of line terminators in the chunk metadata. This 'smuggles' a second request past the frontend, allowing for various bypasses, including security policy evasion, cache poisoning, and unauthorized access.
What is the Impact of CVE-2025-22871?
Successful exploitation may allow attackers to bypass security controls, poison web caches, or perform session hijacking, potentially leading to unauthorized access and data manipulation.
What is the Exploitability of CVE-2025-22871?
Exploitation requires the Go `net/http` server to be deployed behind a reverse proxy or load balancer that has an inconsistent interpretation of HTTP/1.1 line terminators, specifically accepting bare LF within a chunk extension where the Go server also accepts it. The complexity is high, as precise crafting of HTTP request headers and body, along with knowledge of the frontend server's parsing behavior, is necessary. Authentication typically isn't a direct requirement, as the attack subverts how requests are delivered, potentially bypassing authentication mechanisms. Privilege requirements are not applicable to the attacker's side. This is a remote exploitation vector. The primary constraint is the specific combination of Go `net/http` and an improperly lenient frontend server. The risk factors increase significantly in enterprise environments where multiple layers of proxies are common and configuration inconsistencies are more likely.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-22871?
Available Upgrade Options
- stdlib
- <1.23.8 → Upgrade to 1.23.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
- https://go.dev/issue/71988
- https://pkg.go.dev/vuln/GO-2025-3563
- https://go.dev/cl/652998
- https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
- https://go.dev/cl/652998
- http://www.openwall.com/lists/oss-security/2025/04/04/4
- https://go.dev/issue/71988
- https://osv.dev/vulnerability/GO-2025-3563
What are Similar Vulnerabilities to CVE-2025-22871?
Similar Vulnerabilities: CVE-2019-14899 , CVE-2020-15166 , CVE-2023-28952 , CVE-2023-25102 , CVE-2024-24761
