🚀 Go 1.24.2 & 1.23.8 Released – Patch Alert for `net/http`

Published: Apr 7, 2025 Last Updated: Apr 7, 2025

Go just dropped 1.24.2 and 1.23.8 — both are minor point releases, but they come with an important security fix in the net/http package. If your Go apps deal with HTTP (which… let’s be honest, most of them do), you’ll want to update.

🩹 What’s Fixed? #

🔐 Request Smuggling via Invalid Chunked Data #

In some cases, Go’s net/http package accepted malformed chunked transfer-encoded data, specifically chunk-size lines that end with a bare \n instead of the proper \r\n.

This behavior could open the door for request smuggling attacks when used with certain proxies or servers that misinterpret chunk extensions.

✅ Fixed Behavior: #

Go now properly rejects chunk-size lines with a bare LF.

• CVE: CVE-2025-22871
• Reported by: Jeppe Bonde Weikop (huge thanks!)

📦 Go 1.24.2 #

🔧 How to update: #

If you’re on the latest stable track:

• Download binaries/source:
  👉 https://go.dev/dl/#go1.24.2

• Using Git clone:

  git checkout go1.24.2
  ./make.bash
  

• Release Notes:
  go1.24.2 changelog

📦 Go 1.23.8 #

Still on the 1.23 branch? No worries — the fix is backported there too.

🔧 How to update: #

• Download binaries/source:
  👉 https://go.dev/dl/#go1.23.8

• Using Git clone:

  git checkout go1.23.8
  ./make.bash
  

• Release Notes:
  go1.23.8 changelog

⚠️ Should You Update? #

Yes — absolutely. If your app accepts HTTP requests and you’re using the built-in net/http package, it’s time to patch up.

Even if you think your setup isn’t affected, defense-in-depth matters. Always better to fix a known issue than leave the door cracked open.

🙌 Final Notes #

Shoutout to the Go team and contributors for keeping the language rock-solid and secure 💙

Happy patching, and keep coding safely out there!
— A fellow Gopher 🐹