CVE-2025-22871 – Request smuggling due to acceptance of invalid chunked data in net/http

https://notcve.org/view.php?id=CVE-2025-22871

04 Apr 2025 — The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smugglin... • https://go.dev/cl/652998 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •