x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-5423-jcjm-2gpv #3627

GoVulnBot · 2025-04-18T20:01:25Z

Advisory GHSA-5423-jcjm-2gpv references a vulnerability in the following Go modules:

Module
github.com/traefik/traefik
github.com/traefik/traefik/v2
github.com/traefik/traefik/v3

Description:

Summary

net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x < 1.23.8

More Details: CVE-2025-22871

Patches

References:

Cross references:

github.com/traefik/traefik appears in 20 other report(s):
- data/excluded/GO-2023-2117.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7v4p-328v-8v5g #2117) DEPENDENT_VULNERABILITY
- data/reports/GO-2022-0325.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2022-23632 #325)
- data/reports/GO-2022-0808.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7h6j-2268-fhcm #808)
- data/reports/GO-2022-0923.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2021-32813, GHSA-m697-4v8f-55qg #923)
- data/reports/GO-2022-1152.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-468w-8x39-gj5v #1152)
- data/reports/GO-2022-1154.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-h2ph-vhm7-g4hp #1154)
- data/reports/GO-2023-1919.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-r3fq-cmmw-cpmm #1919)
- data/reports/GO-2023-1950.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-2cjc-rgmp-x649 #1950)
- data/reports/GO-2023-2376.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47106 #2376)
- data/reports/GO-2023-2377.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47633 #2377)
- data/reports/GO-2023-2381.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-8g85-whqh-cr2f #2381)
- data/reports/GO-2024-2722.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-4vwx-54mw-vqfw #2722)
- data/reports/GO-2024-2726.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-7f4j-64p6-5h5v #2726)
- data/reports/GO-2024-2880.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-f7cq-5v43-8pwp #2880)
- data/reports/GO-2024-2917.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7jmw-8259-q9jx #2917)
- data/reports/GO-2024-2941.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-rvj4-q8q5-8grf #2941)
- data/reports/GO-2024-2973.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-39321 #2973)
- data/reports/GO-2024-3135.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-62c8-mh53-4cqv #3135)
- data/reports/GO-2024-3299.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-52003 #3299)
- data/reports/GO-2024-3342.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-hxr6-2p24-hf98 #3342)
github.com/traefik/traefik/v2 appears in 18 other report(s):
- data/excluded/GO-2022-1057.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-c6hx-pjc3-7fqr #1057) DEPENDENT_VULNERABILITY
- data/excluded/GO-2023-1715.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-7hj9-rv74-5g92 #1715) DEPENDENT_VULNERABILITY
- data/reports/GO-2022-0325.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2022-23632 #325)
- data/reports/GO-2022-0923.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2021-32813, GHSA-m697-4v8f-55qg #923)
- data/reports/GO-2022-1152.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-468w-8x39-gj5v #1152)
- data/reports/GO-2022-1154.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-h2ph-vhm7-g4hp #1154)
- data/reports/GO-2023-2376.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47106 #2376)
- data/reports/GO-2023-2377.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47633 #2377)
- data/reports/GO-2023-2381.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-8g85-whqh-cr2f #2381)
- data/reports/GO-2024-2722.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-4vwx-54mw-vqfw #2722)
- data/reports/GO-2024-2726.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-7f4j-64p6-5h5v #2726)
- data/reports/GO-2024-2880.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-f7cq-5v43-8pwp #2880)
- data/reports/GO-2024-2917.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7jmw-8259-q9jx #2917)
- data/reports/GO-2024-2941.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-rvj4-q8q5-8grf #2941)
- data/reports/GO-2024-2973.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-39321 #2973)
- data/reports/GO-2024-3135.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-62c8-mh53-4cqv #3135)
- data/reports/GO-2024-3299.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-52003 #3299)
- data/reports/GO-2024-3342.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-hxr6-2p24-hf98 #3342)
github.com/traefik/traefik/v3 appears in 12 other report(s):
- data/reports/GO-2023-2376.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47106 #2376)
- data/reports/GO-2023-2377.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2023-47633 #2377)
- data/reports/GO-2023-2381.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-8g85-whqh-cr2f #2381)
- data/reports/GO-2024-2722.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-4vwx-54mw-vqfw #2722)
- data/reports/GO-2024-2726.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-7f4j-64p6-5h5v #2726)
- data/reports/GO-2024-2880.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-f7cq-5v43-8pwp #2880)
- data/reports/GO-2024-2917.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-7jmw-8259-q9jx #2917)
- data/reports/GO-2024-2941.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v2: GHSA-rvj4-q8q5-8grf #2941)
- data/reports/GO-2024-2973.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-39321 #2973)
- data/reports/GO-2024-3135.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: GHSA-62c8-mh53-4cqv #3135)
- data/reports/GO-2024-3299.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik: CVE-2024-52003 #3299)
- data/reports/GO-2024-3342.yaml (x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-hxr6-2p24-hf98 #3342)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/traefik/traefik
      non_go_versions:
        - introduced: TODO (earliest fixed "3.4.0-rc2", vuln range "= 3.4.0-rc1")
      vulnerable_at: 1.7.34
    - module: github.com/traefik/traefik/v2
      versions:
        - fixed: 2.11.24
      vulnerable_at: 2.11.23
    - module: github.com/traefik/traefik/v3
      versions:
        - fixed: 3.3.6
      vulnerable_at: 3.3.5
summary: Traefik affected by Go HTTP Request Smuggling Vulnerability in github.com/traefik/traefik
ghsas:
    - GHSA-5423-jcjm-2gpv
references:
    - advisory: https://github.com/advisories/GHSA-5423-jcjm-2gpv
    - advisory: https://github.com/traefik/traefik/security/advisories/GHSA-5423-jcjm-2gpv
    - web: https://github.com/traefik/traefik/releases/tag/v2.11.24
    - web: https://github.com/traefik/traefik/releases/tag/v3.3.6
    - web: https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2
    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-22871
source:
    id: GHSA-5423-jcjm-2gpv
    created: 2025-04-18T20:01:24.815295813Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-04-22T16:56:41Z

Change https://go.dev/cl/667315 mentions this issue: data/reports: add 7 reports

GoVulnBot added the NeedsTriage label Apr 18, 2025

thatnealpatel added triaged and removed NeedsTriage labels Apr 22, 2025

gopherbot closed this as completed in 5d8ad7b Apr 22, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-5423-jcjm-2gpv #3627

x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-5423-jcjm-2gpv #3627

GoVulnBot commented Apr 18, 2025

gopherbot commented Apr 22, 2025

x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-5423-jcjm-2gpv #3627

x/vulndb: potential Go vuln in github.com/traefik/traefik/v3: GHSA-5423-jcjm-2gpv #3627

Comments

GoVulnBot commented Apr 18, 2025

Summary

Patches

gopherbot commented Apr 22, 2025