- Description
- Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- netty
CVSS 4.0
- Type
- Secondary
- Base score
- 2.9
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- LOW
CVSS 3.1
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-444
- Hype score
- Not currently trending
Ubuntu issues USN-7918 for Netty HTTP flaws in releases 25.10 to 16.04, including CVE-2025-58056 enabling HTTP request smuggling and potential denial of service via malformed traffic. #Vulnerability https://t.co/GJM1XSNcY8
@threatcluster
10 Dec 2025
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 SECURITY ALERT for @openSUSE #Tumbleweed users! Moderate advisory issued for Netty packages patching CVE-2025-58056 and CVE-2025-58057. Read more: 👉 https://t.co/ntTN2RHpoU #Security https://t.co/Tef21VGi4i
@Cezar_H_Linux
5 Sept 2025
106 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-58056: Netty accepts lone LF in chunked transfers, allowing request smuggling to bypass proxies. Update to https://t.co/my55uRI7lw or https://t.co/EtoIHEf4C2 now! Full advisory ➡️ https://t.co/9kcK722uaA #Netty #Java #infosec
@VolerionSec
3 Sept 2025
35 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-58056 Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124… https://t.co/UZYSjYrbyU
@CVEnew
3 Sept 2025
373 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Eclipse Vert.x 4.5.21 has been released providing fixes for CVE-2025-58057 and CVE-2025-58056 https://t.co/buriVLZUJV
@vertx_project
3 Sept 2025
311 Impressions
3 Retweets
6 Likes
0 Bookmarks
0 Replies
0 Quotes
We are happy to announce the release of #netty https://t.co/tkiUdy4pxM. This is a bug-fix release which also contains a 2 security fixes, CVE-2025-58057 and CVE-2025-58056.For all the details please check our release announcement: https://t.co/ISc1vv1MWo
@normanmaurer
3 Sept 2025
1468 Impressions
5 Retweets
9 Likes
0 Bookmarks
0 Replies
0 Quotes
We are happy to announce the release of #netty https://t.co/q0LNIbUFiF. This is a bug-fix release which also contains a 2 security fixes, CVE-2025-58057 and CVE-2025-58056. For all the details please check our release announcement: https://t.co/vu1jc8yiUW
@normanmaurer
3 Sept 2025
119 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91C23E45-E625-4679-8474-298E01E084C8",
"versionEndExcluding": "4.1.125",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E6E1F3B6-A0E5-41A0-B7A3-938909C8C705",
"versionEndExcluding": "4.2.5",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]