PatchSiren cyber security CVE debrief
CVE-2025-22871 Cert Portal CVE debrief
CVE-2025-22871 is a critical request smuggling issue in the Go net/http package. The flaw is that net/http improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. According to the supplied CISA/Siemens advisory material, impact is most relevant when a net/http server is chained with another server that incorrectly accepts a bare LF as part of a chunk extension, creating parser disagreement that can be abused for request smuggling. The source item associates the advisory with Siemens SENTRON 7KT PAC1261 Data Manager versions before 2.1.0.
- Vendor
- Cert Portal
- Product
- Siemens SENTRON 7KT PAC1261 Data Manager vers:intdot/<2.1.0
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Security teams responsible for Siemens SENTRON 7KT PAC1261 Data Manager deployments, operators of Go net/http-based services, and defenders who manage HTTP chains involving reverse proxies, gateways, or other intermediary parsers. This is especially important where untrusted network traffic can reach the affected component.
Technical summary
The advisory describes a parsing flaw in Go's net/http chunked-transfer handling: a bare LF is accepted where the protocol expects proper line termination in chunk-size lines. If the affected server is used alongside another HTTP component that incorrectly treats bare LF as part of a chunk extension, the inconsistent parsing can enable HTTP request smuggling. Supplied metadata rates the issue CVSS 3.1 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Defensive priority
Urgent. Prioritize patching and configuration review for any exposed or internally chained HTTP path that could be affected, especially if the Siemens product mapping applies to your environment.
Recommended defensive actions
- Update to version 2.1.0 or later, as listed in the vendor remediation.
- Use encrypted protocols where supported, per the supplied remediation guidance.
- Inventory deployments to confirm whether Siemens SENTRON 7KT PAC1261 Data Manager versions before 2.1.0 are present.
- Review HTTP proxy and intermediary chains for parser consistency, especially where multiple HTTP components handle the same request path.
- Track the Siemens advisory SSA-783943 and CISA advisory ICSA-26-134-14 for any follow-on updates or clarifications.
Evidence notes
All timing in this debrief is taken from the supplied CVE and advisory timeline fields: published 2026-05-12 and modified 2026-05-14. The source item is a CISA CSAF advisory republishing Siemens ProductCERT advisory SSA-783943, and it explicitly states the bare-LF chunked parsing flaw plus the vendor remediation to update to 2.1.0 or later. The vendor mapping in the user-supplied metadata is marked low confidence and needs review, so the Siemens product association should be validated in environment-specific inventories. No KEV entry is present in the supplied data.
Official resources
-
CVE-2025-22871 CVE record
CVE.org
-
CVE-2025-22871 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE published: 2026-05-12T00:00:00.000Z. CVE modified: 2026-05-14T06:00:00.000Z. The source advisory was published on the same date and republished/updated on 2026-05-14. PatchSiren publication or review timing is not the CVE issue date.