{"id":"GO-2025-3563","summary":"Request smuggling due to acceptance of invalid chunked data in net/http","details":"The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.","aliases":["BIT-golang-2025-22871","CVE-2025-22871","GHSA-g9pc-8g42-g6vq"],"modified":"2026-04-24T06:42:25.624332459Z","published":"2025-04-08T19:46:23Z","related":["CGA-grqw-v5x4-56m6","RHBA-2025:14817","RHSA-2025:10271","RHSA-2025:10291","RHSA-2025:10295","RHSA-2025:10768","RHSA-2025:10782","RHSA-2025:11352","RHSA-2025:11678","RHSA-2025:11682","RHSA-2025:12831","RHSA-2025:12850","RHSA-2025:15291","RHSA-2025:21328","RHSA-2025:8476","RHSA-2025:8477","RHSA-2025:8478","RHSA-2025:8539","RHSA-2025:8601","RHSA-2025:8632","RHSA-2025:8633","RHSA-2025:8634","RHSA-2025:8665","RHSA-2025:8666","RHSA-2025:8667","RHSA-2025:8680","RHSA-2025:8682","RHSA-2025:8685","RHSA-2025:8689","RHSA-2025:8737","RHSA-2025:8915","RHSA-2025:8916","RHSA-2025:8918","RHSA-2025:8974","RHSA-2025:8975","RHSA-2025:8982","RHSA-2025:8983","RHSA-2025:8984","RHSA-2025:9017","RHSA-2025:9018","RHSA-2025:9019","RHSA-2025:9020","RHSA-2025:9025","RHSA-2025:9043","RHSA-2025:9059","RHSA-2025:9060","RHSA-2025:9061","RHSA-2025:9062","RHSA-2025:9063","RHSA-2025:9064","RHSA-2025:9065","RHSA-2025:9067","RHSA-2025:9069","RHSA-2025:9070","RHSA-2025:9078","RHSA-2025:9106","RHSA-2025:9142","RHSA-2025:9143","RHSA-2025:9144","RHSA-2025:9145","RHSA-2025:9146","RHSA-2025:9147","RHSA-2025:9148","RHSA-2025:9149","RHSA-2025:9150","RHSA-2025:9151","RHSA-2025:9156","RHSA-2025:9172","RHSA-2025:9177","RHSA-2025:9199","RHSA-2025:9200","RHSA-2025:9205","RHSA-2025:9206","RHSA-2025:9207","RHSA-2025:9279","RHSA-2025:9311","RHSA-2025:9312","RHSA-2025:9313","RHSA-2025:9317","RHSA-2025:9319","RHSA-2025:9623","RHSA-2025:9634","RHSA-2025:9635","RHSA-2025:9637","RHSA-2025:9638","RHSA-2025:9639","RHSA-2025:9640","RHSA-2025:9641","RHSA-2025:9642","RHSA-2025:9711","RHSA-2025:9712","RHSA-2025:9713","RHSA-2025:9714","RHSA-2025:9715","RHSA-2025:9756","RHSA-2025:9844","RHSA-2025:9845","RHSA-2025:9975","RHSA-2025:9986"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3563","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/652998"},{"type":"REPORT","url":"https://go.dev/issue/71988"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.23.8"},{"introduced":"1.24.0-0"},{"fixed":"1.24.2"}]}],"ecosystem_specific":{"imports":[{"symbols":["chunkedReader.Read","readChunkLine"],"path":"net/http/internal"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3563.json"}}],"schema_version":"1.7.5","credits":[{"name":"Jeppe Bonde Weikop"}]}