{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22871", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2025-01-08T19:11:42.834Z", "datePublished": "2025-04-08T20:04:34.769Z", "dateUpdated": "2025-04-18T14:57:31.331Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2025-04-08T20:04:34.769Z"}, "title": "Request smuggling due to acceptance of invalid chunked data in net/http", "descriptions": [{"lang": "en", "value": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext."}], "affected": [{"vendor": "Go standard library", "product": "net/http/internal", "collectionURL": "https://pkg.go.dev", "packageName": "net/http/internal", "versions": [{"version": "0", "lessThan": "1.23.8", "status": "affected", "versionType": "semver"}, {"version": "1.24.0-0", "lessThan": "1.24.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "readChunkLine"}, {"name": "chunkedReader.Read"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}], "references": [{"url": "https://go.dev/cl/652998"}, {"url": "https://go.dev/issue/71988"}, {"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3563"}], "credits": [{"lang": "en", "value": "Jeppe Bonde Weikop"}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/04/04/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-08T21:03:21.913Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-18T14:57:03.151639Z", "id": "CVE-2025-22871", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-18T14:57:31.331Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/04/04/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-08T21:03:21.913Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-22871", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-18T14:57:03.151639Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-18T14:57:25.000Z"}}], "cna": {"title": "Request smuggling due to acceptance of invalid chunked data in net/http", "credits": [{"lang": "en", "value": "Jeppe Bonde Weikop"}], "affected": [{"vendor": "Go standard library", "product": "net/http/internal", "versions": [{"status": "affected", "version": "0", "lessThan": "1.23.8", "versionType": "semver"}, {"status": "affected", "version": "1.24.0-0", "lessThan": "1.24.2", "versionType": "semver"}], "packageName": "net/http/internal", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "readChunkLine"}, {"name": "chunkedReader.Read"}]}], "references": [{"url": "https://go.dev/cl/652998"}, {"url": "https://go.dev/issue/71988"}, {"url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"}, {"url": "https://pkg.go.dev/vuln/GO-2025-3563"}], "descriptions": [{"lang": "en", "value": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2025-04-08T20:04:34.769Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22871", "state": "PUBLISHED", "dateUpdated": "2025-04-18T14:57:31.331Z", "dateReserved": "2025-01-08T19:11:42.834Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2025-04-08T20:04:34.769Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext."}, {"lang": "es", "value": "El paquete net/http acepta incorrectamente un LF simple como terminador de l\u00ednea en l\u00edneas de datos fragmentados. Esto puede permitir el contrabando de solicitudes si se utiliza un servidor net/http junto con un servidor que acepta incorrectamente un LF simple como parte de una extensi\u00f3n fragmentada."}], "id": "CVE-2025-22871", "lastModified": "2025-04-18T15:15:57.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-08T20:15:20.183", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/652998"}, {"source": "security@golang.org", "url": "https://go.dev/issue/71988"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2025-3563"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/04/04/4"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/lighthouse-agent-rhel9:v0.20.1-1", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/lighthouse-coredns-rhel9:v0.20.1-1", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/nettest-rhel9:v0.20.1-4", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/subctl-rhel9:v0.20.1-2", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/submariner-gateway-rhel9:v0.20.1-1", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/submariner-globalnet-rhel9:v0.20.1-2", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/submariner-operator-bundle:v0.20.1-1", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/submariner-rhel9-operator:v0.20.1-2", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8691", "cpe": "cpe:/a:redhat:acm:2.13::el9", "package": "rhacm2/submariner-route-agent-rhel9:v0.20.1-2", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.13 for RHEL 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8477", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "golang-0:1.23.9-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8666", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "grafana-0:10.2.6-18.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8915", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "grafana-pcp-0:5.2.2-3.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-06-11T00:00:00Z"}, {"advisory": "RHSA-2025:8478", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "go-toolset:rhel8-8100020250602163653.a3795dee", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8667", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "grafana-0:9.2.10-25.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8918", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "grafana-pcp-0:5.1.1-10.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-06-11T00:00:00Z"}, {"advisory": "RHSA-2025:8685", "cpe": "cpe:/a:redhat:rhel_tus:8.8", "package": "grafana-0:7.5.15-7.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8974", "cpe": "cpe:/a:redhat:rhel_tus:8.8", "package": "go-toolset:rhel8-8080020250602234234.6b4b45d8", "product_name": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:8983", "cpe": "cpe:/a:redhat:rhel_tus:8.8", "package": "grafana-pcp-0:3.2.0-4.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:8685", "cpe": "cpe:/a:redhat:rhel_e4s:8.8", "package": "grafana-0:7.5.15-7.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8974", "cpe": "cpe:/a:redhat:rhel_e4s:8.8", "package": "go-toolset:rhel8-8080020250602234234.6b4b45d8", "product_name": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:8983", "cpe": "cpe:/a:redhat:rhel_e4s:8.8", "package": "grafana-pcp-0:3.2.0-4.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:9025", "cpe": "cpe:/a:redhat:rhel_e4s:8.8", "package": "container-tools:rhel8-8080020250606083919.0f77c1b7", "product_name": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:8476", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "golang-0:1.23.9-1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8682", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "grafana-0:10.2.6-14.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8916", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "grafana-pcp-0:5.1.1-11.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-06-11T00:00:00Z"}, {"advisory": "RHSA-2025:8984", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "grafana-pcp-0:3.2.0-4.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:9043", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "golang-0:1.17.13-6.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:8680", "cpe": "cpe:/a:redhat:rhel_e4s:9.2", "package": "grafana-0:9.0.9-8.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8737", "cpe": "cpe:/a:redhat:rhel_e4s:9.2", "package": "golang-0:1.19.13-16.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date": "2025-06-10T00:00:00Z"}, {"advisory": "RHSA-2025:8982", "cpe": "cpe:/a:redhat:rhel_e4s:9.2", "package": "grafana-pcp-0:5.1.1-3.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:9017", "cpe": "cpe:/a:redhat:rhel_e4s:9.2", "package": "buildah-1:1.29.5-1.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:9018", "cpe": "cpe:/a:redhat:rhel_e4s:9.2", "package": "skopeo-2:1.11.2-0.1.el9_2.3", "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:9019", "cpe": "cpe:/a:redhat:rhel_e4s:9.2", "package": "containernetworking-plugins-1:1.2.0-3.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:9020", "cpe": "cpe:/a:redhat:rhel_e4s:9.2", "package": "podman-2:4.4.1-22.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:8539", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "containernetworking-plugins-1:1.4.0-6.el9_4.1", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8601", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "gvisor-tap-vsock-6:0.7.3-5.el9_4.2", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:8632", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "buildah-2:1.33.12-2.el9_4.1", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8633", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "skopeo-2:1.14.5-2.el9_4.1", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8634", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "podman-4:4.9.4-18.el9_4.1", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8665", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "grafana-0:9.2.10-23.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8689", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "golang-0:1.21.13-9.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8975", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "grafana-pcp-0:5.1.1-5.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-06-12T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.36.0-8", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.36.0-8", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-db-migrator-tool-rhel8:1.36.0-8", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.36.0-8", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.36.0-8", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-management-console-rhel8:1.36.0-6", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-operator-bundle:1.36.0-8", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-rhel8-operator:1.36.0-13", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-swf-builder-rhel8:1.36.0-8", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8670", "cpe": "cpe:/a:redhat:openshift_serverless:1.36::el8", "package": "openshift-serverless-1/logic-swf-devmode-rhel8:1.36.0-6", "product_name": "RHOSS-1.36-RHEL-8", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8298", "cpe": "cpe:/a:redhat:service_mesh:3.0::el9", "package": "registry.redhat.io/openshift-service-mesh/istio-cni-rhel9:sha256:3a7f9a4d81b0c801a045b93d5fc0ea3f6bd051f6badf4dc1ec8d812a348d98e5", "product_name": "Red Hat OpenShift Service Mesh 3.0", "release_date": "2025-05-29T00:00:00Z"}], "bugzilla": {"description": "net/http: Request smuggling due to acceptance of invalid chunked data in net/http", "id": "2358493", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358493"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.", "A flaw was found in the net/http golang package. The net/http package incorrectly accepts messages that end with a line feed (LF) instead of the proper line ending. When used with another server that also misinterprets this, it can lead to request smuggling\u2014where an attacker tricks the system to send hidden or unauthorized requests."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-22871", "package_state": [{"cpe": "cpe:/a:redhat:assisted_installer:2", "fix_state": "Affected", "package_name": "rhai-tech-preview/assisted-installer-rhel8", "product_name": "Assisted Installer for Red Hat OpenShift Container Platform 2"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "cryostat-tech-preview/cryostat-storage-rhel8", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Affected", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Affected", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:deployment_validator_operator", "fix_state": "Affected", "package_name": "deployment-validation-operator-container", "product_name": "Deployment Validation Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_fence_agents_remediation", "fix_state": "Affected", "package_name": "workload-availability/fence-agents-remediation-rhel8-operator", "product_name": "Fence Agents Remediation Operator"}, {"cpe": "cpe:/a:redhat:gatekeeper:3", "fix_state": "Affected", "package_name": "gatekeeper/gatekeeper-rhel9", "product_name": "Gatekeeper 3"}, {"cpe": "cpe:/a:redhat:kube_descheduler_operator:5", "fix_state": "Affected", "package_name": "kube-descheduler-operator/descheduler-rhel9", "product_name": "Kube Descheduler Operator"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "openshift-logging/logging-loki-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:lvms:4", "fix_state": "Not affected", "package_name": "lvms4/topolvm-rhel9", "product_name": "Logical Volume Manager Storage"}, {"cpe": "cpe:/a:redhat:workload_availability_machine_deletion_remediation", "fix_state": "Affected", "package_name": "workload-availability/machine-deletion-remediation-rhel8-operator", "product_name": "Machine Deletion Remediation Operator"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:7", "fix_state": "Affected", "package_name": "mta/mta-cli-rhel9", "product_name": "Migration Toolkit for Applications 7"}, {"cpe": "cpe:/a:redhat:rhmt", "fix_state": "Affected", "package_name": "rhmtc/openshift-migration-registry-rhel8", "product_name": "Migration Toolkit for Containers"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Affected", "package_name": "migration-toolkit-virtualization/mtv-api-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Affected", "package_name": "multicluster-engine/hive-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-agent-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:workload_availability_node_healthcheck", "fix_state": "Affected", "package_name": "workload-availability/node-healthcheck-rhel8-operator", "product_name": "Node HealthCheck Operator"}, {"cpe": "cpe:/a:redhat:workload_availability_nmo:5", "fix_state": "Affected", "package_name": "workload-availability/node-maintenance-rhel8-operator", "product_name": "Node Maintenance Operator"}, {"cpe": "cpe:/a:redhat:openshift_api_data_protection:1", "fix_state": "Affected", "package_name": "oadp/oadp-velero-rhel8", "product_name": "OpenShift API for Data Protection"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "helm", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins-agent-base-container", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "odo", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Affected", "package_name": "openshift-pipelines-client", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:run_once_duration_override_operator:1", "fix_state": "Affected", "package_name": "run-once-duration-override-operator/run-once-duration-override-rhel9", "product_name": "OpenShift Run Once Duration Override Operator"}, {"cpe": "cpe:/a:redhat:openshift_secondary_scheduler:1", "fix_state": "Affected", "package_name": "openshift-secondary-scheduler-operator/secondary-scheduler-rhel9-operator", "product_name": "OpenShift Secondary Scheduler Operator"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Will not fix", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:openshift_power_monitoring", "fix_state": "Affected", "package_name": "kepler-container", "product_name": "Power monitoring for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "authorino-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "flightctl", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "aap-cloud-ui-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway-proxy", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway-proxy-openssl30", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-gateway-proxy-openssl32", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3.11-galaxy-ng", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "receptor", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "hawtio-operator-container", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Affected", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "rhceph/snmp-notifier-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Affected", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:certifications:1::el8", "fix_state": "Affected", "package_name": "redhat-certification-preflight", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:certifications:1::el9", "fix_state": "Affected", "package_name": "redhat-certification-preflight", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:connectivity_link:1", "fix_state": "Affected", "package_name": "authorino-container", "product_name": "Red Hat Connectivity Link 1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Will not fix", "package_name": "butane", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "delve", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "golang-github-openprinting-ipp-usb", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "gvisor-tap-vsock", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Will not fix", "package_name": "ignition", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Under investigation", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhc-worker-playbook", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "skopeo", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "toolbox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "yggdrasil", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "host-metering", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "rhc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "rhc-worker-script", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "skopeo", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/buildah", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "container-tools:rhel8/conmon", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/containernetworking-plugins", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/podman", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/skopeo", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "container-tools:rhel8/toolbox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "rhc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "weldr-client", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "butane", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "conmon", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "containernetworking-plugins", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "git-lfs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "gvisor-tap-vsock", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "ignition", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "opentelemetry-collector", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "osbuild-composer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "rhc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "skopeo", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "toolbox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "trustee-guest-components", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "weldr-client", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "butane", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "conmon", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "conmon-rs", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "containernetworking-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "cri-tools", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "golang-github-prometheus-promu", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "ignition", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "kata-containers", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "microshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-clients", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift-kuryr", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ose-aws-ecr-image-credential-provider", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ose-azure-acr-image-credential-provider", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "ose-gcp-gcr-image-credential-provider", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "skopeo", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-cli-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/udi-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:devworkspace", "fix_state": "Affected", "package_name": "devworkspace/devworkspace-rhel8-operator", "product_name": "Red Hat OpenShift Dev Workspaces Operator"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/gitops-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_service_on_aws:1", "fix_state": "Affected", "package_name": "rosa", "product_name": "Red Hat OpenShift on AWS"}, {"cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1", "fix_state": "Affected", "package_name": "openshift-sandboxed-containers/osc-monitor-rhel9", "product_name": "Red Hat Openshift Sandboxed Containers"}, {"cpe": "cpe:/a:redhat:openshift_update_service:5", "fix_state": "Affected", "package_name": "cincinnati-operator-container", "product_name": "Red Hat OpenShift Update Service"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "golang-github-infrawatch-apputils", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "rhosp-rhel8/osp-director-agent", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "etcd", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "golang-github-infrawatch-apputils", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "rhosp-rhel9/osp-director-agent", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "golang-github-openstack-k8s-operators-os-diff", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "sg-core-container", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Affected", "package_name": "quay/clair-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Under investigation", "package_name": "foreman_ygg_worker", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Under investigation", "package_name": "satellite:el8/yggdrasil-worker-forwarder", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Under investigation", "package_name": "yggdrasil", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "impact": "low", "package_name": "yggdrasil-worker-forwarder", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:service_interconnect:2", "fix_state": "Affected", "package_name": "skupper-cli", "product_name": "Red Hat Service Interconnect 2"}, {"cpe": "cpe:/a:redhat:webterminal:1", "fix_state": "Affected", "package_name": "web-terminal-exec-container", "product_name": "Red Hat Web Terminal"}, {"cpe": "cpe:/a:redhat:workload_availability_snr:0", "fix_state": "Affected", "package_name": "workload-availability/self-node-remediation-rhel8-operator", "product_name": "Self Node Remediation Operator"}, {"cpe": "cpe:/a:redhat:service_telemetry_framework:1.5::el8", "fix_state": "Affected", "package_name": "stf/sg-core-rhel8", "product_name": "Service Telemetry Framework 1.5 for RHEL 8"}], "public_date": "2025-04-08T20:04:34Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22871\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22871\nhttps://go.dev/cl/652998\nhttps://go.dev/issue/71988\nhttps://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk\nhttps://pkg.go.dev/vuln/GO-2025-3563"], "statement": "Red Hat Satellite includes affected component however product is not directly impacted since the vulnerability arises when \"net/http\" is used as a server. Satellite uses it solely as a client, so it's not exposed to the flaw. Product Security has assessed this as Low severity.", "threat_severity": "Moderate"}