GHSA-g9pc-8g42-g6vq

Suggest an improvement
Source
https://github.com/advisories/GHSA-g9pc-8g42-g6vq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-g9pc-8g42-g6vq/GHSA-g9pc-8g42-g6vq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-g9pc-8g42-g6vq
Aliases
Downstream
Related
Published
2025-04-08T21:31:40Z
Modified
2025-10-24T21:12:35.266843Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
Details

The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Database specific 
{
    "severity": "CRITICAL",
    "github_reviewed_at": "2025-10-24T20:57:40Z",
    "cwe_ids": [
        "CWE-1395",
        "CWE-444"
    ],
    "nvd_published_at": "2025-04-08T20:15:20Z",
    "github_reviewed": true
}
References

Affected packages

Packagist / spiral/roadrunner

Package

Name
spiral/roadrunner
Purl
pkg:composer/spiral/roadrunner

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2025.1.0

Affected versions

v0.*

v0.9.0

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.5
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.9.0
v1.9.1
v1.9.2

v2.*

v2.0.0-alpha1
v2.0.0-alpha2
v2.0.0-alpha3
v2.0.0-alpha5
v2.0.0-alpha6
v2.0.0-alpha7
v2.0.0-alpha10
v2.0.0-alpha11
v2.0.0-alpha12
v2.0.0-alpha13
v2.0.0-alpha14
v2.0.0-alpha15
v2.0.0-alpha16
v2.0.0-alpha17
v2.0.0-alpha18
v2.0.0-alpha19
v2.0.0-alpha20
v2.0.0-alpha21
v2.0.0-alpha22
v2.0.0-beta11
v2.0.0-beta12
v2.0.0-beta13
v2.0.0-beta19
v2.0.0-beta.21
v2.0.0-beta.22
v2.0.0-beta.24
v2.0.0-RC.1
v2.0.0-RC.3
v2.0.0-RC.4
v2.0.0
v2.0.1
v2.0.2-beta.1
v2.0.2-beta.2
v2.0.2
v2.0.3
v2.0.4
v2.1.0-beta.1
v2.1.0-beta.2
v2.1.0-beta.3
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.3.0-beta.1
v2.3.0-beta.2
v2.3.0-beta.3
v2.3.0
v2.3.1-beta.1
v2.3.1-beta.3
v2.3.1-beta.4
v2.3.1-beta.6
v2.3.1-rc.1
v2.3.1
v2.3.2
v2.4.0-alpha.1
v2.4.0-beta.1
v2.4.0-rc.1
v2.4.0
v2.4.1
v2.5.0-alpha.1
v2.5.0-alpha.2
v2.5.0-beta.1
v2.5.0-beta.2
v2.5.0-beta.3
v2.5.0-beta.4
v2.5.0-rc.1
v2.5.0-rc.2
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.6.0-alpha.1
v2.6.0-alpha.2
v2.6.0-alpha.3
v2.6.0-alpha.4
v2.6.0-alpha.5
v2.6.0-beta.1
v2.6.0-rc.1
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0-beta.1
v2.7.0-rc.1
v2.7.0-rc.2
v2.7.0
v2.7.1
v2.7.2-rc.1
v2.7.2-rc.2
v2.7.2-rc.3
v2.7.2-rc.4
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0-rc.1
v2.8.0-rc.2
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.9.0-alpha.1
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.10.0-alpha.1
v2.10.0-rc.1
v2.10.0-rc.2
v2.10.0-rc.3
v2.10.0-rc.4
v2.10.0-rc.5
v2.10.0-rc.6
v2.10.0-rc.7
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.10.4-rc.1
v2.10.4
v2.10.5
v2.10.6
v2.10.7
v2.11.0-beta.1
v2.11.0-beta.2
v2.11.0-beta.3
v2.11.0-rc.1
v2.11.0
v2.11.1
v2.11.2
v2.11.3-rc.1
v2.11.3
v2.11.4-beta.1
v2.11.4
v2.12.0-alpha.1
v2.12.0-beta.1
v2.12.0-rc.1
v2.12.0
v2.12.1-rc.1
v2.12.1
v2.12.2-alpha.1
v2.12.2-alpha.2
v2.12.2
v2.12.3

v2023.*

v2023.1.0-alpha.1
v2023.1.0-alpha.2
v2023.1.0-beta.1
v2023.1.0-rc.1
v2023.1.0-rc.2
v2023.1.0
v2023.1.1
v2023.1.2
v2023.1.3
v2023.1.4
v2023.1.5
v2023.2.0-beta.1
v2023.2.0-beta.2
v2023.2.0-beta.3
v2023.2.0
v2023.2.1
v2023.2.2
v2023.3.0-beta.1
v2023.3.0-beta.2
v2023.3.0-rc.1
v2023.3.0
v2023.3.1
v2023.3.2
v2023.3.3
v2023.3.4
v2023.3.5
v2023.3.6
v2023.3.7
v2023.3.8
v2023.3.9
v2023.3.10
v2023.3.11
v2023.3.12

v2024.*

v2024.1.0
v2024.1.1
v2024.1.2
v2024.1.3
v2024.1.4
v2024.1.5
v2024.2.0
v2024.2.1
v2024.3.0
v2024.3.1
v2024.3.2
v2024.3.3
v2024.3.4
v2024.3.5