Critical severity9.1NVD Advisory· Published Apr 8, 2025· Updated May 12, 2026

CVE-2025-22871

Description

The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Patches

f269279ee87d

chore: update go toolchain

https://github.com/roadrunner-server/roadrunnerValery PiashchynskiMay 1, 2025via ghsa

commit

1 file changed · +1 −1

go.mod+1 −1 modified

@@ -2,7 +2,7 @@ module github.com/roadrunner-server/roadrunner/v2025
 
 go 1.24
 
-toolchain go1.24.0
+toolchain go1.24.2
 
 require (
 	github.com/buger/goterm v1.0.4

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g9pc-8g42-g6vqghsaADVISORY
www.openwall.com/lists/oss-security/2025/04/04/4nvd
cert-portal.siemens.com/productcert/html/ssa-783943.htmlnvd
github.com/roadrunner-server/roadrunner/commit/f269279ee87d0b88127741cad1042389af7605faghsa
github.com/roadrunner-server/roadrunner/issues/2166ghsa
github.com/roadrunner-server/roadrunner/releases/tag/v2025.1.0ghsa
go.dev/cl/652998nvd
go.dev/issue/71988nvd
groups.google.com/g/golang-announce/c/Y2uBTVKjBQknvd
nvd.nist.gov/vuln/detail/CVE-2025-22871ghsa
pkg.go.dev/vuln/GO-2025-3563nvd

News mentions

Siemens SENTRON 7KT PAC1261 Data Manager
CISA Alerts

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000