CVE-2025-4600 – HTTP Request Smuggling in Google Cloud Classic Application Load Balancer due to Improper Chunked Encoding Validation

https://notcve.org/view.php?id=CVE-2025-4600

16 May 2025 — A request smuggling vulnerability existed in the Google Cloud Classic Application Load Balancer due to improper handling of chunked-encoded HTTP requests. This allowed attackers to craft requests that could be misinterpreted by backend servers. The issue was fixed by disallowing stray data after a chunk, and is no longer exploitable. No action is required as Classic Application Load Balancer service after 2025-04-26 is not vulnerable. • https://cloud.google.com/support/bulletins#gcp-2025-027 • CWE-20: Improper Input Validation •