GHSA-5423-jcjm-2gpv: Traefik affected by Go HTTP Request Smuggling Vulnerability
net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x < 1.23.8
More Details: CVE-2025-22871
References
- github.com/advisories/GHSA-5423-jcjm-2gpv
- github.com/traefik/traefik
- github.com/traefik/traefik/releases/tag/v2.11.24
- github.com/traefik/traefik/releases/tag/v3.3.6
- github.com/traefik/traefik/releases/tag/v3.4.0-rc2
- github.com/traefik/traefik/security/advisories/GHSA-5423-jcjm-2gpv
- nvd.nist.gov/vuln/detail/CVE-2025-22871
Code Behaviors & Features
Detect and mitigate GHSA-5423-jcjm-2gpv with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →