CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability

### Before reporting an issue

- [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

### Area

_No response_

### Describe the bug

Netty’s netty-codec-http component is vulnerable to HTTP Request Smuggling due to incorrect parsing of chunked-encoding requests.

An attacker may craft ambiguous HTTP requests that are parsed inconsistently by Netty and upstream servers. This can lead to request smuggling attacks, allowing cache poisoning, request bypasses, or unauthorized access to backend services.

### Version

26.3.3

### Regression

- [ ] The issue is a regression

### Expected behavior

No CVE reported.

### Actual behavior

CVE reported.

### How to Reproduce?

Please, check scanner alerts.

### Anything else?

References:

- [NVD – CVE-2025-58056](https://nvd.nist.gov/vuln/detail/CVE-2025-58056?utm_source=chatgpt.com)

- [Snyk Advisory – HTTP Request Smuggling](https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-12485149?utm_source=chatgpt.com)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability #42492

Before reporting an issue

Area

Describe the bug

Version

Regression

Expected behavior

Actual behavior

How to Reproduce?

Anything else?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability #42492

Description

Before reporting an issue

Area

Describe the bug

Version

Regression

Expected behavior

Actual behavior

How to Reproduce?

Anything else?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions