CVE-2025-58056: 
Java vulnerability analysis and mitigation

Netty, an asynchronous event-driven network application framework, contains a vulnerability in versions 4.1.124.Final and 4.2.0.Alpha3 through 4.2.4.Final where it incorrectly accepts standalone newline characters (LF) as chunk-size line terminators in HTTP/1.1 chunked transfer encoding, regardless of a preceding carriage return (CR). This vulnerability was discovered in September 2025 and is tracked as CVE-2025-58056 (GitHub Advisory).

The vulnerability stems from Netty's non-compliant parsing of chunk extensions in HTTP/1.1 messages with chunked encoding. When encountering a newline character (LF) while parsing a chunk extension, Netty interprets it as the end of the chunk-size line regardless of whether a preceding carriage return (CR) was found. This violates the HTTP/1.1 standard which requires CRLF sequence for chunk line termination (RFC 9112). The vulnerability has been assigned a CVSS v4.0 base score of 8.2 HIGH (GitHub Advisory).

When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This can be exploited to bypass front-end access control rules and potentially serve malicious responses to other live clients (GitHub Advisory).

The vulnerability has been fixed in versions 4.1.125.Final and 4.2.5.Final. Users should upgrade to these patched versions. The fix involves enforcing strict CR LF line separators for HTTP messages by default, though this can be configured through HttpDecoderConfig (GitHub Commit).

The vulnerability was initially reported by researcher @JeppW and coordinated by @JLLeitschuh at Socket. After the Netty team was initially unresponsive, the vulnerability was publicly disclosed on June 18, 2025, leading to increased attention from the security community (GitHub Issue).