CVE-2025-22871: 
cAdvisor vulnerability analysis and mitigation

CVE-2025-22871 is a security vulnerability discovered in Go's net/http package. The vulnerability was disclosed on April 1, 2025, affecting Go versions before 1.23.8 and before 1.24.2. The issue involves the net/http package improperly accepting a bare LF (Line Feed) as a line terminator in chunked data chunk-size lines (Go Announce, NVD).

The vulnerability exists in the net/http package's handling of chunked transfer encoding. Specifically, the package incorrectly accepts data containing an invalid chunk-size line terminated by a bare LF. This implementation flaw could lead to request smuggling when the net/http server is used in conjunction with a server that incorrectly interprets a bare LF in a chunk extension as part of the extension (OSS Security, Go Issue).

The vulnerability can enable request smuggling attacks when the affected Go net/http server is used in combination with other servers that incorrectly handle bare LF characters in chunk extensions. This could potentially lead to unauthorized access or manipulation of HTTP requests (Go Vuln).

The issue has been fixed in Go versions 1.23.8 and 1.24.2. The fix involves modifying the net/http package to reject chunk-size lines containing a bare LF. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Go Announce).