CVE-2025-22871: RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency

April 8, 2025 (updated October 24, 2025)

The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

References

github.com/advisories/GHSA-g9pc-8g42-g6vq
github.com/roadrunner-server/roadrunner
github.com/roadrunner-server/roadrunner/commit/f269279ee87d0b88127741cad1042389af7605fa
github.com/roadrunner-server/roadrunner/issues/2166
github.com/roadrunner-server/roadrunner/releases/tag/v2025.1.0
go.dev/cl/652998
go.dev/issue/71988
groups.google.com/g/golang-announce/c/Y2uBTVKjBQk
nvd.nist.gov/vuln/detail/CVE-2025-22871
pkg.go.dev/vuln/GO-2025-3563

Code Behaviors & Features

Detect and mitigate CVE-2025-22871 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →