Request Smuggling Vulnerability in Google Cloud Classic Application Load Balancer
CVE-2025-4600

8.7HIGH

Key Information:

Vendor
CVE Published:
16 May 2025

What is CVE-2025-4600?

A request smuggling vulnerability existed in Google Cloud's Classic Application Load Balancer due to improper processing of chunked-encoded HTTP requests. Attackers could exploit this issue by crafting malicious requests that were misinterpreted by backend servers, potentially leading to unauthorized actions. The vulnerability was mitigated by implementing stricter controls to prevent stray data following a chunk in the request. This issue has been resolved and is not exploitable in any instances of the Classic Application Load Balancer deployed after April 26, 2025.

Affected Version(s)

Classic Application Load Balancer 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jeppe Bonde Weikop
.