Skip to content

net/http: reject bare LF in chunked encoding #71988

New issue
New issue
Closed
Closed
net/http: reject bare LF in chunked encoding#71988
Labels
BugReportIssues describing a possible bug in the Go implementation.CriticalA critical problem that affects the availability or correctness of production systems built using GoNeedsFixThe path to resolution is known, but the work has not been done.Security
Milestone
Go1.25
@neild

Description

@neild
neild
opened on Feb 26, 2025

HTTP/1 uses CRLF as a line terminator, but permits implementations to accept a bare LF as a terminator in certain locations. It does not permit a bare LF to be used in the chunked encoding, however. (See https://www.rfc-editor.org/errata/eid7633, in particular the notes on why the proposed errata was rejected.)

We reject bare LFs ending chunk-data lines, but accept them in chunk-size lines. This can, if combined with an implementation that incorrectly permits a bare CR in a chunk-ext, permit request smuggling.

We should reject bare LFs in chunk-data lines.

This is a PUBLIC track security issue and CVE-2025-22871.

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugReportIssues describing a possible bug in the Go implementation.CriticalA critical problem that affects the availability or correctness of production systems built using GoNeedsFixThe path to resolution is known, but the work has not been done.Security

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions