Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:17298 advisory.

    Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly     application runtime.

    This asynchronous patch is an update for Red Hat JBoss Enterprise Application Platform 8.1. See Release     Notes for information about the most significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions     [eap-8.1.z] (CVE-2025-58056)

    * netty-codec-http2: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions     [eap-8.1.z] (CVE-2025-58056)

    * cxf: CXF JMS Code Execution Vulnerability [eap-8.1.z] (CVE-2025-48913)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:17317 advisory.

    Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly     application runtime.

    This asynchronous patch is an update for Red Hat JBoss Enterprise Application Platform 8.0. See Release     Notes for information about the most significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163)

    * netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions     [eap-8.0.z] (CVE-2025-58056)

    * cxf: CXF JMS Code Execution Vulnerability (CVE-2025-48913)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03114-1 advisory.

    Upgrade to upstream version 4.1.126.

    Security issues fixed:

    - CVE-2025-58057: decompression codecs allocating a large number of buffers after processing specially     crafted input can       cause a denial of service (bsc#1249134).
    - CVE-2025-58056: incorrect parsing of chunk extensions can lead to request smuggling (bsc#1249116).
    - CVE-2025-55163: 'MadeYouReset' denial of serivce attack in the HTTP/2 protocol (bsc#1247991).

    Other issues fixed:

    - Fixes from version 4.1.126
      * Fix IllegalReferenceCountException on invalid upgrade response.
      * Drop unknown frame on missing stream.
      * Don't try to handle incomplete upgrade request.
      * Update to netty-tcnative 2.0.73Final.

    - Fixes from version 4.1.124
      * Fix NPE and AssertionErrors when many tasks are scheduled and cancelled.
      * HTTP2: Http2ConnectionHandler should always use Http2ConnectionEncoder.
      * Epoll: Correctly handle UDP packets with source port of 0.
      * Fix netty-common OSGi Import-Package header.
      * MqttConnectPayload.toString() includes password.

    - Fixes from version 4.1.123
      * Fix chunk reuse bug in adaptive allocator.
      * More accurate adaptive memory usage accounting.
      * Introduce size-classes for the adaptive allocator.
      * Reduce magazine proliferation eagerness.
      * Fix concurrent ByteBuffer access issue in AdaptiveByteBuf.getBytes.
      * Fix possible buffer corruption caused by incorrect setCharSequence(...) implementation.
      * AdaptiveByteBuf: Fix AdaptiveByteBuf.maxFastWritableBytes() to take writerIndex() into account.
      * Optimize capacity bumping for adaptive ByteBufs.
      * AbstractDnsRecord: equals() and hashCode() to ignore name field's case.
      * Backport Unsafe guards.
      * Guard recomputed offset access with hasUnsafe.
      * HTTP2: Always produce a RST frame on stream exception.
      * Correct what artifacts included in netty-bom.

    - Fixes from version 4.1.122
      * DirContextUtils.addNameServer(...) should just catch Exception internally.
      * Make public API specify explicit maxAllocation to prevent OOM.
      * Fix concurrent ByteBuf write access bug in adaptive allocator.
      * Fix transport-native-kqueue Bundle-SymbolicNames.
      * Fix resolver-dns-native-macos Bundle-SymbolicNames.
      * Always correctly calculate the memory address of the ByteBuf even if sun.misc.Unsafe is not usable.
      * Upgrade lz4 dependencies as the old version did not correctly handle ByteBuffer that have an     arrayOffset > 0.
      * Optimize ByteBuf.setCharSequence for adaptive allocator.
      * Kqueue: Fix registration failure when fd is reused.
      * Make JdkZlibEncoder accept Deflater.DEFAULT_COMPRESSION as level.
      * Ensure OpenSsl.availableJavaCipherSuites does not contain null values.
      * Always prefer direct buffers for pooled allocators if not explicit disabled.
      * Update to netty-tcnative 2.0.72.Final.
      * Re-enable sun.misc.Unsafe by default on Java 24+.
      * Kqueue: Delay removal from registration map to fix noisy warnings.

    - Fixes from version 4.1.121
      * Epoll.isAvailable() returns false on Ubuntu 20.04/22.04 arch amd64.
      * Fix transport-native-epoll Bundle-SymbolicNames.

    - Fixes from version 4.1.120
      * Fix flawed termination condition check in HttpPostRequestEncoder#encodeNextChunkUrlEncoded(int) for     current         InterfaceHttpData.
      * Exposed decoderEnforceMaxConsecutiveEmptyDataFrames and decoderEnforceMaxRstFramesPerWindow.
      * ThreadExecutorMap must restore old EventExecutor.
      * Make Recycler virtual thread friendly.
      * Disable sun.misc.Unsafe by default on Java 24+.
      * Adaptive: Correctly enforce leak detection when using AdaptiveByteBufAllocator.
      * Add suppressed exception to original cause when calling Future.sync*.
      * Add SETTINGS_ENABLE_CONNECT_PROTOCOL to the default HTTP/2 settings.
      * Correct computation for suboptimal chunk retirement probability.
      * Fix bug in method AdaptivePoolingAllocator.allocateWithoutLock(...).
      * Fix a Bytebuf leak in TcpDnsQueryDecoder.
      * SSL: Clear native error if named group is not supported.
      * WebSocketClientCompressionHandler shouldn't claim window bits support when jzlib is not available.
      * Fix the assignment error of maxQoS parameter in ConnAck Properties.

    - Fixes from version 4.1.119
      * Replace SSL assertion with explicit record length check.
      * Fix NPE when upgrade message fails to aggregate.
      * SslHandler: Fix possible NPE when executor is used for delegating.
      * Consistently add channel info in HTTP/2 logs.
      * Add QueryStringDecoder option to leave '+' alone.
      * Use initialized BouncyCastle providers when available.

    - Fix pom.xml errors that will be fatal with Maven 4

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Netty is an asynchronous event-driven network application framework for development of maintainable high     performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final,     Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless     of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with     reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can     craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling     attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final. (CVE-2025-58056)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
266418	RHEL 8 / 9 : Red Hat JBoss Enterprise Application Platform 8.1.0 (RHSA-2025:17298)	Nessus	Red Hat Local Security Checks	high
266416	RHEL 8 / 9 : Red Hat JBoss Enterprise Application Platform 8.0.9 (RHSA-2025:17317)	Nessus	Red Hat Local Security Checks	high
264436	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : netty, netty-tcnative (SUSE-SU-2025:03114-1)	Nessus	SuSE Local Security Checks	high
261590	Linux Distros Unpatched Vulnerability : CVE-2025-58056	Nessus	Misc.	medium

Detections

Analytics

CVE-2025-58056

medium

Tenable Plugins

high

high

high

medium