HTTP Request Smuggling Affecting keycloak-26.3 package, versions <26.3.3-r6
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-KEYCLOAK263-12549173
- published6 Sept 2025
- disclosed3 Sept 2025
Introduced: 3 Sep 2025
NewCVE-2025-58056 (opens in a new tab)How to fix?
Upgrade Chainguard keycloak-26.3 to version 26.3.3-r6 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream keycloak-26.3 package and not the keycloak-26.3 package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.
References
- https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding
- https://github.com/JLLeitschuh/unCVEed/issues/1
- https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284
- https://github.com/netty/netty/issues/15522
- https://github.com/netty/netty/pull/15611
- https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49
- https://w4ke.info/2025/06/18/funky-chunks.html