Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <063b927b-4a6a-448d-9e8f-28b8c64a6539@oracle.com>
Date: Fri, 4 Apr 2025 13:53:35 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-22871 : Go net/http: request smuggling
 through invalid chunked data

https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk/m/cs_6qIK5BAAJ
announces the release of Go versions 1.24.2 and 1.23.8, including a
security fix for:

>     net/http: request smuggling through invalid chunked data
> 
>     The net/http package accepted data in the chunked transfer encoding
>     containing an invalid chunk-size line terminated by a bare LF.
>     When used in conjunction with a server or proxy which incorrectly
>     interprets a bare LF in a chunk extension as part of the extension,
>     this could permit request smuggling.
> 
>     The net/http package now rejects chunk-size lines containing a bare LF.
> 
>     Thanks to Jeppe Bonde Weikop for reporting this issue.
> 
>     This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.