PT-2025-35821 · Netty +1 · Netty +1

Jeppw

Published

2025-09-03

Updated

2025-09-05

CVE-2025-58056

Report an issue

CVSS v4.0

6.3

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions:

Netty versions 4.1.124.Final

Netty versions 4.2.0.Alpha3 through 4.2.4.Final

Description:

Netty is an asynchronous event-driven network application framework. Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, instead of requiring CRLF per HTTP/1.1 standards. This can allow attackers to craft requests that a reverse proxy sees as one request, but Netty processes as two, enabling request smuggling attacks.

Recommendations:

Netty version 4.1.124.Final: Update to version 4.1.125.Final.

Netty versions 4.2.0.Alpha3 through 4.2.4.Final: Update to version 4.2.5.Final.

Exploit

Fix

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

CVE-2025-58056

Affected Products

Debian

Netty

PT-2025-35821 · Netty +1 · Netty +1

Weakness Enumeration

Related Identifiers

Affected Products

References · 22