CVE-2025-4600: HTTP Request Smuggling in Google Cloud Classic Application Load Balancer due to Improper Chunked Encoding Validation
Description
A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. This allowed attackers to craft requests that could be misinterpreted by backend servers. The issue was fixed by disallowing stray data after a chunk, and is no longer exploitable. No action is required as Classic Application Load Balancer service after 2025-04-26 is not vulnerable.
Classification
CVE ID: CVE-2025-4600
CVSS Base Severity: HIGH
CVSS Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:L/SA:L
Problem Types
CWE-20 Improper Input ValidationAffected Products
Vendor: Google Cloud
Product: Classic Application Load Balancer
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.1% (probability of being exploited)
EPSS Percentile: 28.81% (scored less or equal to compared to others)
EPSS Date: 2025-06-14 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-4600https://cloud.google.com/support/bulletins#gcp-2025-027