Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/io.netty/netty-codec-http@4.1.78.Final
Typemaven
Namespaceio.netty
Namenetty-codec-http
Version4.1.78.Final
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.1.125.Final
Latest_non_vulnerable_version4.2.10.Final
Affected_by_vulnerabilities
0
url VCID-n9u5-a8js-hbf2
vulnerability_id VCID-n9u5-a8js-hbf2
summary 
Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions
## Summary
A flaw in netty's parsing of chunk extensions in HTTP/1.1 messages with chunked encoding can lead to request smuggling issues with some reverse proxies.

## Details
When encountering a newline character (LF) while parsing a chunk extension, netty interprets the newline as the end of the chunk-size line regardless of whether a preceding carriage return (CR) was found. This is in violation of the HTTP 1.1 standard which specifies that the chunk extension is terminated by a CRLF sequence (see the [RFC](https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding)).

This is by itself harmless, but consider an intermediary with a similar parsing flaw: while parsing a chunk extension, the intermediary interprets an LF without a preceding CR as simply part of the chunk extension (this is also in violation of the RFC, because whitespace characters are not allowed in chunk extensions). We can use this discrepancy to construct an HTTP request that the intermediary will interpret as one request but netty will interpret as two (all lines ending with CRLF, notice the LFs in the chunk extension):

```
POST /one HTTP/1.1
Host: localhost:8080
Transfer-Encoding: chunked

48;\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n0

POST /two HTTP/1.1
Host: localhost:8080
Transfer-Encoding: chunked

0

```

The intermediary will interpret this as a single request. Once forwarded to netty, netty will interpret it as two separate requests. This is a problem, because attackers can then the intermediary, as well as perform standard request smuggling attacks against other live users (see [this Portswigger article](https://portswigger.net/web-security/request-smuggling/exploiting)).

## Impact
This is a request smuggling issue which can be exploited for bypassing front-end access control rules as well as corrupting the responses served to other live clients.

The impact is high, but it only affects setups that use a front-end which:
1. Interprets LF characters (without preceding CR) in chunk extensions as part of the chunk extension.
2. Forwards chunk extensions without normalization.

## Disclosure

 - This vulnerability was disclosed on June 18th, 2025 here: https://w4ke.info/2025/06/18/funky-chunks.html

## Discussion
Discussion for this vulnerability can be found here:
 - https://github.com/netty/netty/issues/15522
 - https://github.com/JLLeitschuh/unCVEed/issues/1

## Credit

 - Credit to @JeppW for uncovering this vulnerability.
 - Credit to @JLLeitschuh at [Socket](https://socket.dev/) for coordinating the vulnerability disclosure.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58056.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-58056.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-58056
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09283
published_at 2026-04-02T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09335
published_at 2026-04-04T12:55:00Z
2
value 0.00038
scoring_system epss
scoring_elements 0.11401
published_at 2026-04-11T12:55:00Z
3
value 0.00038
scoring_system epss
scoring_elements 0.11199
published_at 2026-04-16T12:55:00Z
4
value 0.00038
scoring_system epss
scoring_elements 0.11339
published_at 2026-04-13T12:55:00Z
5
value 0.00038
scoring_system epss
scoring_elements 0.11368
published_at 2026-04-12T12:55:00Z
6
value 0.00038
scoring_system epss
scoring_elements 0.11394
published_at 2026-04-09T12:55:00Z
7
value 0.0004
scoring_system epss
scoring_elements 0.12032
published_at 2026-04-08T12:55:00Z
8
value 0.0004
scoring_system epss
scoring_elements 0.1195
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-58056
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58056
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58056
3
reference_url https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/
url https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
4
reference_url https://github.com/github/advisory-database/pull/6092
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/github/advisory-database/pull/6092
5
reference_url https://github.com/JLLeitschuh/unCVEed/issues/1
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/
url https://github.com/JLLeitschuh/unCVEed/issues/1
6
reference_url https://github.com/netty/netty
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/netty/netty
7
reference_url https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/
url https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
8
reference_url https://github.com/netty/netty/issues/15522
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/
url https://github.com/netty/netty/issues/15522
9
reference_url https://github.com/netty/netty/pull/15611
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/
url https://github.com/netty/netty/pull/15611
10
reference_url https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/
url https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-58056
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-58056
12
reference_url https://w4ke.info/2025/06/18/funky-chunks.html
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-04T19:09:52Z/
url https://w4ke.info/2025/06/18/funky-chunks.html
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113995
reference_id 1113995
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113995
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2392996
reference_id 2392996
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2392996
15
reference_url https://github.com/advisories/GHSA-fghv-69vj-qj49
reference_id GHSA-fghv-69vj-qj49
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fghv-69vj-qj49
16
reference_url https://access.redhat.com/errata/RHSA-2025:17187
reference_id RHSA-2025:17187
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17187
17
reference_url https://access.redhat.com/errata/RHSA-2025:17298
reference_id RHSA-2025:17298
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17298
18
reference_url https://access.redhat.com/errata/RHSA-2025:17299
reference_id RHSA-2025:17299
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17299
19
reference_url https://access.redhat.com/errata/RHSA-2025:17317
reference_id RHSA-2025:17317
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17317
20
reference_url https://access.redhat.com/errata/RHSA-2025:17318
reference_id RHSA-2025:17318
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17318
21
reference_url https://access.redhat.com/errata/RHSA-2025:17563
reference_id RHSA-2025:17563
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17563
22
reference_url https://access.redhat.com/errata/RHSA-2025:17567
reference_id RHSA-2025:17567
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:17567
23
reference_url https://access.redhat.com/errata/RHSA-2025:18028
reference_id RHSA-2025:18028
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:18028
24
reference_url https://access.redhat.com/errata/RHSA-2025:18076
reference_id RHSA-2025:18076
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:18076
25
reference_url https://access.redhat.com/errata/RHSA-2025:21148
reference_id RHSA-2025:21148
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21148
26
reference_url https://access.redhat.com/errata/RHSA-2026:3102
reference_id RHSA-2026:3102
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:3102
27
reference_url https://usn.ubuntu.com/7918-1/
reference_id USN-7918-1
reference_type
scores
url https://usn.ubuntu.com/7918-1/
fixed_packages
0
url pkg:maven/io.netty/netty-codec-http@4.1.125.Final
purl pkg:maven/io.netty/netty-codec-http@4.1.125.Final
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/io.netty/netty-codec-http@4.1.125.Final
1
url pkg:maven/io.netty/netty-codec-http@4.2.5.Final
purl pkg:maven/io.netty/netty-codec-http@4.2.5.Final
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/io.netty/netty-codec-http@4.2.5.Final
aliases CVE-2025-58056, GHSA-fghv-69vj-qj49
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n9u5-a8js-hbf2
1
url VCID-rewk-dvth-tubh
vulnerability_id VCID-rewk-dvth-tubh
summary 
Netty's HttpPostRequestDecoder can OOM
### Summary
The `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors 

### Details
1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list.
2. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits

### PoC

Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder


Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3

### Impact
Any Netty based HTTP server that uses the `HttpPostRequestDecoder` to decode a form.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29025.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29025.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-29025
reference_id
reference_type
scores
0
value 0.00261
scoring_system epss
scoring_elements 0.49434
published_at 2026-04-04T12:55:00Z
1
value 0.00261
scoring_system epss
scoring_elements 0.49387
published_at 2026-04-07T12:55:00Z
2
value 0.00261
scoring_system epss
scoring_elements 0.49442
published_at 2026-04-08T12:55:00Z
3
value 0.00261
scoring_system epss
scoring_elements 0.49407
published_at 2026-04-02T12:55:00Z
4
value 0.00268
scoring_system epss
scoring_elements 0.50278
published_at 2026-04-09T12:55:00Z
5
value 0.00268
scoring_system epss
scoring_elements 0.50279
published_at 2026-04-12T12:55:00Z
6
value 0.00268
scoring_system epss
scoring_elements 0.50306
published_at 2026-04-11T12:55:00Z
7
value 0.00324
scoring_system epss
scoring_elements 0.55525
published_at 2026-04-16T12:55:00Z
8
value 0.00324
scoring_system epss
scoring_elements 0.55489
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-29025
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29025
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29025
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/
url https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
5
reference_url https://github.com/netty/netty
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/netty/netty
6
reference_url https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/
url https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
7
reference_url https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/
url https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
8
reference_url https://github.com/vietj/netty/tree/post-request-decoder
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vietj/netty/tree/post-request-decoder
9
reference_url https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T15:54:48Z/
url https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-29025
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-29025
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068110
reference_id 1068110
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068110
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2272907
reference_id 2272907
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2272907
13
reference_url https://github.com/advisories/GHSA-5jpm-x58v-624v
reference_id GHSA-5jpm-x58v-624v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5jpm-x58v-624v
14
reference_url https://access.redhat.com/errata/RHSA-2024:3550
reference_id RHSA-2024:3550
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3550
15
reference_url https://access.redhat.com/errata/RHSA-2024:4460
reference_id RHSA-2024:4460
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4460
16
reference_url https://access.redhat.com/errata/RHSA-2024:5479
reference_id RHSA-2024:5479
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5479
17
reference_url https://access.redhat.com/errata/RHSA-2024:5481
reference_id RHSA-2024:5481
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5481
18
reference_url https://access.redhat.com/errata/RHSA-2024:5482
reference_id RHSA-2024:5482
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5482
19
reference_url https://access.redhat.com/errata/RHSA-2024:6657
reference_id RHSA-2024:6657
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6657
20
reference_url https://usn.ubuntu.com/7284-1/
reference_id USN-7284-1
reference_type
scores
url https://usn.ubuntu.com/7284-1/
fixed_packages
0
url pkg:maven/io.netty/netty-codec-http@4.1.108.Final
purl pkg:maven/io.netty/netty-codec-http@4.1.108.Final
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-n9u5-a8js-hbf2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/io.netty/netty-codec-http@4.1.108.Final
aliases CVE-2024-29025, GHSA-5jpm-x58v-624v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rewk-dvth-tubh
Fixing_vulnerabilities
Risk_score3.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/io.netty/netty-codec-http@4.1.78.Final