Login Sign Up

CVE-2025-22871

9.1 CRITICAL

📋 TL;DR

This vulnerability in Go's net/http package allows HTTP request smuggling when servers incorrectly accept bare line feed characters as chunked transfer encoding terminators. It affects Go applications using net/http as a server, particularly when deployed behind proxies or load balancers with different HTTP parsing behavior.

💻 Affected Systems

Products:
  • Go programming language
Versions: Go 1.22.0 through 1.22.10, Go 1.23.0 through 1.23.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using net/http package as an HTTP server. Requires deployment behind a proxy/server with different HTTP parsing behavior.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could smuggle malicious requests, bypass security controls, poison caches, or perform session hijacking and credential theft.

🟠

Likely Case

Request smuggling leading to cache poisoning, security control bypass, or unauthorized access to backend systems.

🟢

If Mitigated

Limited impact if proper WAFs, request validation, and updated proxy servers are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific proxy/server configurations and knowledge of target architecture.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.22.11, Go 1.23.3

Vendor Advisory: https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk

Restart Required: Yes

Instructions:

1. Update Go to version 1.22.11 or 1.23.3. 2. Recompile and redeploy affected applications. 3. Restart all services using the patched Go runtime.

🔧 Temporary Workarounds

Use alternative HTTP server

all

Temporarily switch to a different HTTP server implementation not using net/http package

Deploy WAF with HTTP normalization

all

Configure Web Application Firewall to normalize HTTP requests and reject malformed chunked encoding

🧯 If You Can't Patch

  • Deploy reverse proxies that normalize HTTP requests before forwarding to Go applications
  • Implement request validation middleware to detect and reject malformed chunked transfer encoding

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version'. If version is between 1.22.0-1.22.10 or 1.23.0-1.23.2 and application uses net/http server, it's vulnerable.

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.22.11 or 1.23.3+ with 'go version'. Test with HTTP requests containing bare LF in chunked encoding to confirm rejection.

📡 Detection & Monitoring

Log Indicators:

  • HTTP 400 errors for malformed requests
  • Unusual request patterns in access logs
  • Requests with abnormal Content-Length or Transfer-Encoding headers

Network Indicators:

  • HTTP requests with bare LF characters in chunked encoding
  • Mismatched request/response patterns between proxy and backend

SIEM Query:

source="web_logs" AND (http_status=400 AND (message="*chunk*" OR message="*transfer-encoding*"))

📊 Metadata

CVE ID: CVE-2025-22871
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score: 0.17% exploit probability (38.2th percentile)
Published: April 8, 2025
Last Updated: April 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON