Listen to this Post
The vulnerability CVE-2025-22871 originates in Go’s `net/http` library, which improperly accepted a bare Line Feed (\n) as a line terminator in chunked transfer encoding chunk-size lines, contrary to the RFC 7230 specification which mandates a Carriage Return Line Feed (\r\n). When File Browser, which uses this library, is deployed behind a proxy or gateway that is more lenient and also accepts a bare LF, it creates a desynchronization in how the HTTP message stream is parsed. An attacker can craft a request with a chunk size declared using only a LF. The frontend server may process this correctly, but the backend Go-based File Browser server, interpreting the bare LF as a terminator, will parse the subsequent data differently. This discrepancy allows the attacker to smuggle a hidden request within the body of the initial one, which the frontend server will treat as a new, separate request, potentially leading to unauthorized access or data manipulation.
Platform: File Browser
Version: <= 2.45.1
Vulnerability: Request Smuggling
Severity: Critical
date: 2025-11-13
Prediction: Patch 2025-11-20
What Undercode Say:
printf 'GET / HTTP/1.1\r\nHost: example.com\r\nTransfer-Encoding: chunked\r\n\r\n5\nsmuggled\r\n0\n\r\n' | nc target 80
// Example vulnerable chunk parsing in net/http
// The readChunkLine function incorrectly accepted '\n' alone.
func readChunkLine(b bufio.Reader) ([]byte, error) {
// ... code that scans for '\n' without strict '\r\n' check
}
How Exploit:
Craft malicious chunked request with bare LF terminators to poison the HTTP stream and bypass security controls.
Protection from this CVE:
Update to version 2.45.2.
Impact:
Unauthorized data access, security control bypass, cache poisoning.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
