Bug 2358493 (CVE-2025-22871)

Summary: CVE-2025-22871 net/http: Request smuggling due to acceptance of invalid chunked data in net/http
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, akostadi, alcohan, amasferr, amctagga, anjoseph, ansmith, anthomas, aoconnor, bdettelb, bniver, brking, cbartlet, cmah, crizzo, davidn, debarshir, dhanak, dmayorov, doconnor, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, fdeutsch, flucifre, ggainey, ggrzybek, gkamathe, gmeno, gparvin, haoli, hkataria, ibolton, jaharrin, jajackso, jburrell, jcammara, jcantril, jeder, jforrest, jjoyce, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jprabhak, jschluet, juwatts, jwendell, jwest, kegrant, kingland, koliveir, kshier, kverlaen, lchilton, lgamliel, lhh, lphiri, lsvaty, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mkudlej, mmakovy, mnovotny, mrunge, njean, nmoumoul, oramraz, osousa, owatkins, pahickey, parichar, pbraun, pcreech, peholase, periklis, pgaikwad, pgrist, pierdipi, pjindal, rcernich, rchan, relrod, rfreiman, rhaigner, rhuss, rjohnson, rojacob, sakbas, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, tasato, teagle, tfister, thason, thavo, tjochec, tsweeney, vereddy, vimartin, whayutin, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling—where an attacker tricks the system to send hidden or unauthorized requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2363173, 2363174, 2363175, 2363180, 2363181, 2363182, 2358578    
Bug Blocks:    

Description OSIDB Bzimport 2025-04-08 21:01:55 UTC 
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
Comment 5 Tom Sweeney 2025-04-30 20:41:55 UTC 
Could somebody please add a value to the "Fixed in Version" field?

@jwest ?
Comment 6 Tom Sweeney 2025-04-30 20:47:35 UTC 
And FWIW, I believe the "Fixed in Version" value should be: Go 1.24.2 and Go 1.23.8
Comment 7 Debarshi Ray 2025-05-01 23:58:42 UTC 
(In reply to Tom Sweeney from comment #6)
> And FWIW, I believe the "Fixed in Version" value should be: Go 1.24.2 and Go
> 1.23.8

Yes, that's right.  These are the commits:
https://github.com/golang/go/commit/ac1f5aa3d62efe21e65ce4dc30e6996d59acfbd0
https://github.com/golang/go/commit/15e01a2e43ecb8c7e15ff7e9d62fe3f10dcac931
Comment 8 Jeremy West 2025-05-05 14:19:13 UTC 
Hey Tom.  The "Fixed in Version" field is usually set by the engineering team based on which internal build contains the fix.