CVE-2025-58056HTTP Request Smuggling in Netty

CWE-444HTTP Request Smuggling8 documents6 sources
Severity
2.9LOWNVD
EPSS
0.0%
top 88.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NettyDebian Netty
Timeline
PublishedSep 3
Latest updateDec 9

Description

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk e

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

NVDnetty/netty4.2.04.2.5+1
debiandebian/netty< netty 1:4.1.48-7+deb12u2 (bookworm)
Debiannetty/netty< 1:4.1.48-4+deb11u3+3
Ubuntunetty/netty< 1:4.1.48-4+deb11u2ubuntu0.1+5
CVEListV5netty/netty4.1.124.Final, < 4.1.125.Final+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
netty vulnerabilities2025-12-09
GHSA
Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions2025-09-04
OSV
Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions2025-09-04
OSV
CVE-2025-58056: Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients2025-09-03

📋Vendor Advisories

3
Ubuntu
Netty vulnerabilities2025-12-09
Red Hat
netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions2025-09-03
Debian
CVE-2025-58056: netty - Netty is an asynchronous event-driven network application framework for developm...2025