CVE-2025-22871

CRITICAL

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

CVSS v3.1 Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Complexity

LOW

Privileges

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Published: 4/8/2025Modified: 5/12/2026

Related Intelligence (1)

CRITICALVulnerability

Siemens SENTRON 7KT PAC1261 Data Manager

<p><a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-134-14.json"><strong>View CSAF</strong></a></p> <h2>Summary</h2> <p><strong>The web server in SENTRON 7KT PAC1261 Data Manager Before V2.1.0 contains a request smuggling vulnerability in the Go Project's net/http package that could allow an attacker to retrieve authorization tokens that can be used to ga

CVE-2025-22871

4d agoCISA Advisories

References (6)

https://go.dev/cl/652998 https://go.dev/issue/71988 https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk https://pkg.go.dev/vuln/GO-2025-3563 http://www.openwall.com/lists/oss-security/2025/04/04/4 https://cert-portal.siemens.com/productcert/html/ssa-783943.html