The Go standard library net/http package incorrectly handles chunked transfer encoding by accepting bare LF characters as line terminators in chunk-size lines. This inconsistent interpretation can lead to HTTP request smuggling (CWE-444) when the vulnerable Go server is paired with another server that also misinterprets chunk extensions. The vulnerability is present in versions up to 1.24.0-0 and has a CVSS v3.1 score of 9.1, indicating critical severity. No official remediation or patch has been published as of the vulnerability disclosure date.

Successful exploitation of this vulnerability could allow an attacker to perform HTTP request smuggling attacks, potentially leading to request desynchronization between front-end and back-end servers. This may result in unauthorized request manipulation, information disclosure, or bypassing security controls. The CVSS score of 9.1 reflects high impact on confidentiality and integrity, with no impact on availability. No known exploits have been reported in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should carefully evaluate deployment architectures involving net/http servers in conjunction with other HTTP servers that may also improperly handle chunked encoding. Consider implementing additional HTTP request validation or using reverse proxies that normalize HTTP requests to mitigate potential request smuggling risks.