CVE-2025-22871 The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. #143
Description
Hi,
Lambda layer splunk-apm:117 has a CRITICAL finding:
https://nvd.nist.gov/vuln/detail/CVE-2025-22871
{
"ReferenceUrls": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"https://groups.google.com/g/golang-announce/c/Y2uBTVKjBQk"
],
"Cvss": [
{
"BaseScore": 9.1,
"BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"Version": "3.1",
"Source": "NVD"
},
{
"BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"BaseScore": 9.1,
"Version": "3.1",
"Source": "NVD"
}
],
"FixAvailable": "YES",
"ExploitAvailable": "NO",
"VulnerablePackages": [
{
"FilePath": "extensions/splunk-extension-wrapper",
"PackageManager": "GENERIC",
"Version": "1.21.13",
"Epoch": "0",
"FixedInVersion": "1.24.2",
"SourceLayerArn": "arn:aws:lambda:eu-north-1:254067382080:layer:splunk-apm:117",
"Name": "go/stdlib"
}
],
"EpssScore": 0.00017,
"Id": "CVE-2025-22871",
"Vendor": {
"VendorCreatedAt": "2025-04-08T20:15:20.000Z",
"VendorSeverity": "CRITICAL",
"Url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871",
"Name": "NVD",
"VendorUpdatedAt": "2025-04-18T15:15:57.000Z"
}
}
This seems to be fixed in opentelemetry-lambda newer versions, open-telemetry/opentelemetry-lambda#1802
Please updated splunk-apm.
Best regards,
Jonas Larsen