x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser/v2: GHSA-6jqf-mv7m-3q7p #4118
Description
Advisory GHSA-6jqf-mv7m-3q7p references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/filebrowser/filebrowser |
| github.com/filebrowser/filebrowser/v2 |
Description:
The standard library net/http package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
See https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.
References:
- ADVISORY: GHSA-6jqf-mv7m-3q7p
- ADVISORY: GHSA-6jqf-mv7m-3q7p
- WEB: https://nvd.nist.gov/vuln/detail/CVE-2025-22871
Cross references:
- github.com/filebrowser/filebrowser appears in 10 other report(s):
- data/reports/GO-2025-3784.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser/v2: GHSA-4wx8-5gm2-2j97 #3784)
- data/reports/GO-2025-3785.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-jj2r-455p-5gvf #3785)
- data/reports/GO-2025-3786.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-3q2w-42mv-cph4 #3786)
- data/reports/GO-2025-3790.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-3v48-283x-f2w4 #3790)
- data/reports/GO-2025-3792.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-cm2r-rg7r-p7gg #3792)
- data/reports/GO-2025-3793.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-hc8f-m8g5-8362 #3793)
- data/reports/GO-2025-3794.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-rmwh-g367-mj4x #3794)
- data/reports/GO-2025-3795.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-w7qc-6grj-w7r8 #3795)
- data/reports/GO-2025-3811.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-7xqm-7738-642x #3811)
- data/reports/GO-2025-3812.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-7xwp-2cpp-p8r7 #3812)
- github.com/filebrowser/filebrowser/v2 appears in 11 other report(s):
- data/reports/GO-2022-0563.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-72wf-hwcq-65h9 #563)
- data/reports/GO-2025-3784.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser/v2: GHSA-4wx8-5gm2-2j97 #3784)
- data/reports/GO-2025-3785.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-jj2r-455p-5gvf #3785)
- data/reports/GO-2025-3786.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-3q2w-42mv-cph4 #3786)
- data/reports/GO-2025-3790.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-3v48-283x-f2w4 #3790)
- data/reports/GO-2025-3792.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-cm2r-rg7r-p7gg #3792)
- data/reports/GO-2025-3793.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-hc8f-m8g5-8362 #3793)
- data/reports/GO-2025-3794.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-rmwh-g367-mj4x #3794)
- data/reports/GO-2025-3795.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-w7qc-6grj-w7r8 #3795)
- data/reports/GO-2025-3811.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-7xqm-7738-642x #3811)
- data/reports/GO-2025-3812.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-7xwp-2cpp-p8r7 #3812)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/filebrowser/filebrowser
non_go_versions:
- introduced: TODO (earliest fixed "2.45.2", vuln range "<= 2.45.1")
vulnerable_at: 1.11.0
- module: github.com/filebrowser/filebrowser/v2
vulnerable_at: 2.45.3
summary: |-
File Browser has risk of HTTP Request/Response smuggling through vulnerable
dependency in github.com/filebrowser/filebrowser
ghsas:
- GHSA-6jqf-mv7m-3q7p
references:
- advisory: https://github.com/advisories/GHSA-6jqf-mv7m-3q7p
- advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6jqf-mv7m-3q7p
- web: https://nvd.nist.gov/vuln/detail/CVE-2025-22871
source:
id: GHSA-6jqf-mv7m-3q7p
created: 2025-11-13T23:01:09.978336533Z
review_status: UNREVIEWED