UBUNTU-CVE-2025-58056

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2025-58056
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-58056.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-58056
Upstream
Published
2025-09-04T00:00:00Z
Modified
2025-09-08T17:11:59Z
Severity
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
  • Ubuntu - low
Summary
[none]
Details

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

References

Affected packages

Ubuntu:Pro:14.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty@1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:3.*

1:3.2.6.Final-2
1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-java",
            "binary_version": "1:3.2.6.Final-2+deb8u2build0.14.04.1~esm1"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty@1:4.0.34-1ubuntu0.1~esm2?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:3.*

1:3.2.6.Final-2

1:4.*

1:4.0.32-1
1:4.0.33-1
1:4.0.34-1
1:4.0.34-1ubuntu0.1~esm1
1:4.0.34-1ubuntu0.1~esm2

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-java",
            "binary_version": "1:4.0.34-1ubuntu0.1~esm2"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / netty-3.9

Package

Name
netty-3.9
Purl
pkg:deb/ubuntu/netty-3.9@3.9.0.Final-1ubuntu0.1?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.9.0.Final-1
3.9.0.Final-1ubuntu0.1

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-3.9-java",
            "binary_version": "3.9.0.Final-1ubuntu0.1"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty@1:4.1.7-4ubuntu0.1+esm3?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.7-4
1:4.1.7-4ubuntu0.1~esm1
1:4.1.7-4ubuntu0.1
1:4.1.7-4ubuntu0.1+esm1
1:4.1.7-4ubuntu0.1+esm2
1:4.1.7-4ubuntu0.1+esm3

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-java",
            "binary_version": "1:4.1.7-4ubuntu0.1+esm3"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / netty-3.9

Package

Name
netty-3.9
Purl
pkg:deb/ubuntu/netty-3.9@3.9.9.Final-1+deb9u1build0.18.04.1?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.9.9.Final-1
3.9.9.Final-1+deb9u1build0.18.04.1

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-3.9-java",
            "binary_version": "3.9.9.Final-1+deb9u1build0.18.04.1"
        }
    ]
}

Ubuntu:Pro:20.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty@1:4.1.45-1ubuntu0.1~esm2?arch=source&distro=esm-apps/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.33-1
1:4.1.33-2
1:4.1.33-3
1:4.1.45-1
1:4.1.45-1ubuntu0.1~esm1
1:4.1.45-1ubuntu0.1~esm2

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-java",
            "binary_version": "1:4.1.45-1ubuntu0.1~esm2"
        }
    ]
}

Ubuntu:22.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty@1:4.1.48-4+deb11u2build0.22.04.1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-4
1:4.1.48-4+deb11u1build0.22.04.1
1:4.1.48-4+deb11u2build0.22.04.1

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-java",
            "binary_version": "1:4.1.48-4+deb11u2build0.22.04.1"
        }
    ]
}

Ubuntu:24.04:LTS / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty@1:4.1.48-9?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-7
1:4.1.48-8
1:4.1.48-9

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-java",
            "binary_version": "1:4.1.48-9"
        }
    ]
}

Ubuntu:25.04 / netty

Package

Name
netty
Purl
pkg:deb/ubuntu/netty@1:4.1.48-10?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:4.*

1:4.1.48-10

Ecosystem specific 

{
    "priority_reason": "http smuggling issue",
    "binaries": [
        {
            "binary_name": "libnetty-java",
            "binary_version": "1:4.1.48-10"
        }
    ]
}