net/http: reject bare LF in chunked encoding

[neild]

HTTP/1 uses CRLF as a line terminator, but permits implementations to accept a bare LF as a terminator in certain locations. It does not permit a bare LF to be used in the chunked encoding, however. (See https://www.rfc-editor.org/errata/eid7633, in particular the notes on why the proposed errata was rejected.)

We reject bare LFs ending chunk-data lines, but accept them in chunk-size lines. This can, if combined with an implementation that incorrectly permits a bare CR in a chunk-ext, permit request smuggling.

We should reject bare LFs in chunk-data lines.

This is a PUBLIC track security issue and CVE-2025-22871.

[gopherbot]

Change https://go.dev/cl/652998 mentions this issue: net/http: reject newlines in chunk-size lines

[gabyhelp]

Related Code Changes

• net/http: reject newlines in chunk-size lines

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[neild]

@gopherbot please open backport issues for this security fix.

[gopherbot]

Backport issue(s) opened: #72010 (for 1.23), #72011 (for 1.24).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[tsuna]

Can you clarify what you meant by "This can, if combined with an implementation that incorrectly permits a bare CR in a chunk-ext, permit request smuggling." — which "implementation" are we talking about here?

[neild]

If you have one HTTP implementation which permits a bare LF in the chunk-ext, and another that interprets a bare LF as a line terminator, you can smuggle a request through a proxy using one implementation to a server using the other.

You send a request body consisting of something like: length, ; (starting a chunk-ext), LF (implementation 1 thinks this is part of the chunk-ext, implementation 2 thinks this is the end of the chunk-size line), some carefully-chosen number of bytes (implementation 1 thinks this is the chunk-ext, implementation 2 thinks this is the body), CR LF 0 CR LF (implementation 1 thinks this is chunk-data, implementation 2 thinks this is the last-chunk), and headers for a new request (implementation 1 thinks this is chunk-data, implementation 2 thinks this is a new request).

Permitting an LF in the chunk-ext is a very uncommon bug.