CVE-2025-58056
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netty | netty | to 4.1.125 (exc) |
| netty | netty | From 4.2.0 (inc) to 4.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Netty versions 4.1.124.Final and 4.2.0.Alpha3 through 4.2.4.Final, where Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator instead of requiring the proper carriage return followed by a newline (CRLF) as per HTTP/1.1 standards. This discrepancy allows attackers to craft requests that are interpreted differently by reverse proxies and Netty, enabling HTTP request smuggling attacks.
How can this vulnerability impact me? :
The vulnerability can allow attackers to perform HTTP request smuggling attacks by sending specially crafted requests that are parsed differently by reverse proxies and Netty servers. This can lead to security issues such as bypassing security controls, unauthorized access, or manipulation of requests and responses.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Netty to version 4.1.125.Final or 4.2.5.Final or later, as these versions contain the fix for this vulnerability.