CVE-2025-58056
Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions
In short
Netty accepts incorrect line endings in HTTP requests, allowing attackers to trick it into processing requests differently than reverse proxies do. This can be exploited to sneak malicious requests past security checks.
Technical detail
Netty incorrectly parses HTTP/1.1 chunk extensions by accepting standalone LF instead of requiring CRLF terminators. When a reverse proxy interprets the request differently due to LF handling, an attacker can craft a request that appears as one message to the proxy but splits into two at the Netty layer, enabling HTTP request smuggling attacks.
Summary generated and translated by AI from the official description.
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Affected products
netty · nettyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-codinghttps://github.com/JLLeitschuh/unCVEed/issues/1https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284https://github.com/netty/netty/issues/15522https://github.com/netty/netty/pull/15611https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49https://w4ke.info/2025/06/18/funky-chunks.html