VYPR
Critical severity9.1GHSA Advisory· Published Apr 8, 2025· Updated May 12, 2026

CVE-2025-22871

CVE-2025-22871

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
spiral/roadrunnerPackagist
< 2025.1.02025.1.0

Affected products

3438

Patches

Vulnerability mechanics

References

11

News mentions

1