INFSA-2025:9623: osbuild-composer security update

Information about definition

Identificator: INFSA-2025:9623

Type: security

Release date: 2025-07-15 19:33:41 UTC

Information about package

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients.

Vulnerabilities description

  • CVE-2025-22871

    The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

Severity level

CVE Score CVSS 2.0 Score CVSS 3.x Score CVSS 4.0
Critical, important, moderate, low

Updated packages