Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3600

CVE-2025-58056 - Netty HTTP Request Smuggling vulnerability [GHI#42492]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      No response

      Describe the bug

      Netty’s netty-codec-http component is vulnerable to HTTP Request Smuggling due to incorrect parsing of chunked-encoding requests.

      An attacker may craft ambiguous HTTP requests that are parsed inconsistently by Netty and upstream servers. This can lead to request smuggling attacks, allowing cache poisoning, request bypasses, or unauthorized access to backend services.

      Version

      26.3.3

      Regression

      [ ] The issue is a regression

      Expected behavior

      No CVE reported.

      Actual behavior

      CVE reported.

      How to Reproduce?

      Please, check scanner alerts.

      Anything else?

      References:

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Cloud Native
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: