{ "threat_severity" : "Moderate", "public_date" : "2025-09-03T20:56:50Z", "bugzilla" : { "description" : "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions", "id" : "2392996", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2392996" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-444", "details" : [ "Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.", "A flaw in Netty’s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses." ], "statement" : "This issue is considered Moderate rather than Important because successful exploitation depends on a very specific deployment condition: the presence of an intermediary reverse proxy that both mishandles lone LF characters in chunk extensions and forwards them unmodified to Netty. By itself, Netty’s parsing quirk does not introduce risk, and in most real-world environments, reverse proxies normalize or reject malformed chunked requests, preventing smuggling. As a result, the vulnerability has limited reach, requires a niche configuration to be exploitable, and does not universally expose Netty-based servers to request smuggling—hence it is rated moderate in severity rather than important or critical.", "affected_release" : [ { "product_name" : "AMQ Clients 2026.Q1", "release_date" : "2026-02-23T00:00:00Z", "advisory" : "RHSA-2026:3102", "cpe" : "cpe:/a:redhat:amq_clients:2026", "package" : "netty-codec-http" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-agent-init-rhel9:0.6.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-db-rhel9:4.1.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-grafana-dashboard-rhel9:4.1.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-openshift-console-plugin-rhel9:4.1.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-operator-bundle:4.1.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-reports-rhel9:4.1.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-rhel9:4.1.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-rhel9-operator:4.1.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-storage-rhel9:4.1.0-11" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-11-25T00:00:00Z", "advisory" : "RHSA-2025:21148", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/jfr-datasource-rhel9:4.1.0-11" }, { "product_name" : "Red Hat AMQ Broker 7.13.2", "release_date" : "2025-10-08T00:00:00Z", "advisory" : "RHSA-2025:17567", "cpe" : "cpe:/a:redhat:amq_broker:7.13", "package" : "netty-codec-http" }, { "product_name" : "Red Hat AMQ Broker 7.13.2", "release_date" : "2025-10-08T00:00:00Z", "advisory" : "RHSA-2025:17567", "cpe" : "cpe:/a:redhat:amq_broker:7.13", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10", "release_date" : "2025-10-14T00:00:00Z", "advisory" : "RHSA-2025:18028", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.10", "package" : "netty-codec-http" }, { "product_name" : "Red Hat build of Apache Camel 4.10.7 for Spring Boot 3.4.10", "release_date" : "2025-10-14T00:00:00Z", "advisory" : "RHSA-2025:18028", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.10", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat Build of Apache Camel 4.10 for Quarkus 3.20", "release_date" : "2025-10-15T00:00:00Z", "advisory" : "RHSA-2025:18076", "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.20", "package" : "netty-codec-http" }, { "product_name" : "Red Hat Build of Apache Camel 4.10 for Quarkus 3.20", "release_date" : "2025-10-15T00:00:00Z", "advisory" : "RHSA-2025:18076", "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.20", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat build of Quarkus 3.15.7", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17187", "cpe" : "cpe:/a:redhat:quarkus:3.15::el8", "package" : "netty-codec-http" }, { "product_name" : "Red Hat build of Quarkus 3.20.3", "release_date" : "2025-10-14T00:00:00Z", "advisory" : "RHSA-2025:17563", "cpe" : "cpe:/a:redhat:quarkus:3.20::el8", "package" : "netty-codec-http" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0.9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17318", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "netty-codec-http" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0.9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17318", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-apache-cxf-0:4.0.9-5.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-apache-cxf-xjc-utils-0:4.1.0-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-eap-product-conf-parent-0:800.9.1-3.GA_redhat_00004.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-jbossws-cxf-0:7.3.4-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-netty-0:4.1.127-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-netty-transport-native-epoll-0:4.1.127-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-opensaml-0:4.3.2-2.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-wildfly-0:8.0.9-8.GA_redhat_00008.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-wss4j-0:3.0.4-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package" : "eap8-xml-security-0:3.0.5-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-apache-cxf-0:4.0.9-5.redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-apache-cxf-xjc-utils-0:4.1.0-1.redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-eap-product-conf-parent-0:800.9.1-3.GA_redhat_00004.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-jbossws-cxf-0:7.3.4-1.Final_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-netty-0:4.1.127-1.Final_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-netty-transport-native-epoll-0:4.1.127-1.Final_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-opensaml-0:4.3.2-2.redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-wildfly-0:8.0.9-8.GA_redhat_00008.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-wss4j-0:3.0.4-1.redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17317", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package" : "eap8-xml-security-0:3.0.5-1.redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1.0", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17299", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "netty-codec-http" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1.0", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17299", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "netty-codec-http2" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-apache-commons-lang-0:3.18.0-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-apache-cxf-0:4.0.9-4.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-eap-product-conf-parent-0:801.0.1-2.GA_redhat_00003.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-jbossws-cxf-0:7.3.4-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-netty-0:4.1.127-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-netty-transport-native-epoll-0:4.1.127-1.Final_redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-opensaml-0:4.3.2-2.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-wildfly-0:8.1.0-55.GA_redhat_00016.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-wss4j-0:3.0.4-1.redhat_00002.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8", "package" : "eap8-xml-security-0:3.0.5-1.redhat_00001.1.el8eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-apache-commons-lang-0:3.18.0-1.redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-apache-cxf-0:4.0.9-4.redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-eap-product-conf-parent-0:801.0.1-2.GA_redhat_00003.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-jbossws-cxf-0:7.3.4-1.Final_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-netty-0:4.1.127-1.Final_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-netty-transport-native-epoll-0:4.1.127-1.Final_redhat_00001.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-opensaml-0:4.3.2-2.redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-wildfly-0:8.1.0-55.GA_redhat_00016.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-wss4j-0:3.0.4-1.redhat_00002.1.el9eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9", "release_date" : "2025-10-02T00:00:00Z", "advisory" : "RHSA-2025:17298", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9", "package" : "eap8-xml-security-0:3.0.5-1.redhat_00001.1.el9eap" }, { "product_name" : "Streams for Apache Kafka 3.1.0", "release_date" : "2025-12-16T00:00:00Z", "advisory" : "RHSA-2025:23417", "cpe" : "cpe:/a:redhat:amq_streams:3.1::el9", "package" : "netty-codec-http" } ], "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-ekb-dispatcher-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-ekb-receiver-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-sink-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-aws-sqs-source-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-log-sink-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/kn-eventing-integrations-timer-source-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Will not fix", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Will not fix", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Will not fix", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-modelmesh-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-modelmesh-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-trustyai-service-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-trustyai-service-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/pluginregistry-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/server-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "satellite:el8/candlepin", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Affected", "package_name" : "netty-codec-http", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Affected", "package_name" : "netty-codec-http2", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-58056\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-58056\nhttps://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding\nhttps://github.com/JLLeitschuh/unCVEed/issues/1\nhttps://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284\nhttps://github.com/netty/netty/issues/15522\nhttps://github.com/netty/netty/pull/15611\nhttps://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49\nhttps://w4ke.info/2025/06/18/funky-chunks.html" ], "name" : "CVE-2025-58056", "mitigation" : { "value" : "To mitigate this issue, enforce strict RFC compliance on all front-end proxies and load balancers so that lone LF characters in chunk extensions are rejected or normalized before being forwarded. Additionally, configure input validation at the application or proxy layer to block malformed chunked requests, ensuring consistent parsing across all components in the request path.", "lang" : "en:us" }, "csaw" : false }