CVE-2025-22871CRITICAL 9.1EPSS p47.6%

CVE-2025-22871CVE-2025-22871

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.68% probability of exploitation · percentile 47.6% · 2026-06-19T12:03:05Z
Published2025-04-08
Last modified2026-05-12

References

  1. https://go.dev/cl/652998
  2. https://go.dev/issue/71988
  3. https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
  4. https://pkg.go.dev/vuln/GO-2025-3563
  5. http://www.openwall.com/lists/oss-security/2025/04/04/4
  6. https://cert-portal.siemens.com/productcert/html/ssa-783943.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-1502
CVE
CVE-2025-43859
CVE
CVE-2025-12642
CVE
CVE-2026-42581
CVE
CVE-2026-28367
CVE
CVE-2026-28369
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.