DEBIAN-CVE-2025-58056

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-58056
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-58056.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-58056
Upstream
Published
2025-09-03T21:15:33Z
Modified
2025-09-30T05:20:48.017765Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

References

Affected packages

Debian:11 / netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-4
1:4.1.48-4+deb11u1
1:4.1.48-4+deb11u2
1:4.1.48-5
1:4.1.48-6
1:4.1.48-7
1:4.1.48-8
1:4.1.48-9
1:4.1.48-10

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-7
1:4.1.48-7+deb12u1
1:4.1.48-8
1:4.1.48-9
1:4.1.48-10

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

Ecosystem specific 

{
    "urgency": "not yet assigned"
}