Request Smuggling Vulnerability in Google Cloud Classic Application Load Balancer
CVE-2025-4600

8.7HIGH

Key Information:

Vendor: Google Cloud
Status: Classic Application Load Balancer
Vendor: CVE Published:; 16 May 2025

🔔 Create Google Cloud Vulnerability Alert

What is CVE-2025-4600?

A request smuggling vulnerability existed in Google Cloud's Classic Application Load Balancer due to improper processing of chunked-encoded HTTP requests. Attackers could exploit this issue by crafting malicious requests that were misinterpreted by backend servers, potentially leading to unauthorized actions. The vulnerability was mitigated by implementing stricter controls to prevent stray data following a chunk in the request. This issue has been resolved and is not exploitable in any instances of the Classic Application Load Balancer deployed after April 26, 2025.

Affected Version(s)

Classic Application Load Balancer 0

References

https://cloud.google.com/support/bulletins#gcp-2025-027

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2025
Vulnerability Reserved
May 12, 2025

Credit

Jeppe Bonde Weikop