Request smuggling due to acceptance of invalid chunked data in net/http

GO-2025-3563 · BIT-golang-2025-22871 · CVE-2025-22871 · GHSA-g9pc-8g42-g6vq

Published Apr 8, 2025 · Modified Feb 17, 2026

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

References

FIX https://go.dev/cl/652998
REPORT https://go.dev/issue/71988
WEB https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes