CVE-2025-4600

EPSS 0.02%
Published 16.05.2025 13:47:45
Last modified 26.09.2025 17:18:42
Source cve-coordination@google.com
Teams watchlist Login
Open Login

A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. This allowed attackers to craft requests that could be misinterpreted by backend servers. The issue was fixed by disallowing stray data after a chunk, and is no longer exploitable. No action is required as Classic Application Load Balancer service after 2025-04-26 is not vulnerable.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Google ≫ Application Load Balancer Version < 2025-04-26

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.05

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cve-coordination@google.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://cloud.google.com/support/bulletins#gcp-2025-027

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-4600

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-4600

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-4600

EUVD