Описание
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
The standard library net/http package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
See https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.
Пакеты
Наименование
github.com/filebrowser/filebrowser/v2
go
Затронутые версииВерсия исправления
<= 2.45.1
2.45.2
9.1 Critical
CVSS3
Дефекты
CWE-1395
9.1 Critical
CVSS3
Дефекты
CWE-1395