Bug 2392996 (CVE-2025-58056)

Summary: CVE-2025-58056 netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, anstephe, anthomas, aprice, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dbruscin, dhanak, dkreling, dnakabaa, dosoudil, drosa, dsimansk, eaguilar, ebaron, ehelms, eric.wittmann, fjuma, fmariani, fmongiar, ggainey, ggrzybek, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jcantril, jkoehler, jmartisk, jnethert, joehler, jolong, jpechane, jrokos, jross, jsamir, juwatts, kaycoth, kgaikwad, kingland, kvanderr, kverlaen, lcouzens, lphiri, lthon, manderse, matzew, mhulan, mnovotny, mosmerov, mposolda, mskarbek, msochure, msvehla, nipatil, nmoumoul, nwallace, oezr, olubyans, osousa, pantinor, parichar, pberan, pbizzarr, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rkubis, rmartinc, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, swoodman, tasato, tcunning, tmalecek, tom.jenkinson, tqvarnst, vkrizan, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw in Netty’s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2414768    
Bug Blocks:    

Description OSIDB Bzimport 2025-09-03 21:01:47 UTC 
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
Comment 2 errata-xmlrpc 2025-10-02 14:54:05 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1.0

Via RHSA-2025:17299 https://access.redhat.com/errata/RHSA-2025:17299
Comment 3 errata-xmlrpc 2025-10-02 14:55:41 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2025:17298 https://access.redhat.com/errata/RHSA-2025:17298
Comment 4 errata-xmlrpc 2025-10-02 17:34:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0.9

Via RHSA-2025:17318 https://access.redhat.com/errata/RHSA-2025:17318
Comment 5 errata-xmlrpc 2025-10-02 17:35:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
  Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Via RHSA-2025:17317 https://access.redhat.com/errata/RHSA-2025:17317
Comment 6 errata-xmlrpc 2025-10-08 14:48:37 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.13.2

Via RHSA-2025:17567 https://access.redhat.com/errata/RHSA-2025:17567
Comment 7 errata-xmlrpc 2025-10-14 17:59:08 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10

Via RHSA-2025:18028 https://access.redhat.com/errata/RHSA-2025:18028
Comment 8 errata-xmlrpc 2025-10-15 09:14:22 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.10 for Quarkus 3.20

Via RHSA-2025:18076 https://access.redhat.com/errata/RHSA-2025:18076
Comment 9 errata-xmlrpc 2025-11-25 02:09:10 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:21148 https://access.redhat.com/errata/RHSA-2025:21148
Comment 10 errata-xmlrpc 2025-12-16 23:14:16 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.1.0

Via RHSA-2025:23417 https://access.redhat.com/errata/RHSA-2025:23417