Description

net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. Vendor Affected Components: Go: 1.23.x < 1.23.8

More Details: CVE-2025-22871

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Score:
9.1

Recommendation

Since grafana/tempo:2.7.2 uses 1.23.7 version of Go, the recommendation is to Update Go to version 1.23.8 or later.