Funky chunks: abusing ambiguous chunk line terminators for request smuggling #1
Description
Research
https://w4ke.info/2025/06/18/funky-chunks.html
Disclosure Summary
Fixed and assigned CVE:
- Apache Traffic Server: CVE-2024-53868
- AIOHTTP: CVE-2024-52304
- Golang net/http: CVE-2025-22871
- Google Classic Application Load Balancer: CVE-2025-4600
- h11: CVE-2025-43859
- Ktor: CVE-2025-29904
Fixed, no CVE assigned:
- fasthttp: PR: fix: lenient chunk extension parsing leading to request smuggling issues valyala/fasthttp#1899
- Eclipse Jetty: PR: Enhance HTTP Compliance CRLF modes jetty/jetty.project#12564
- Eclipse Grizzly: PR: Feature/strict crlf for chunked transfer coding eclipse-ee4j/glassfish-grizzly#2220
- pound: PR: Reject requests with oversized chunk bodies graygnuorg/pound#43
Fix pending, no CVE assigned:
- "Undisclosed cloud CDN"
- gunicorn: fix: problematic parsing leniency in parsing chunk extensions benoitc/gunicorn#3327
- H2O: forbid use of bare LF as chunk header terminator h2o/picohttpparser#82
- uHTTPd: client: perform strict chunk size parsing openwrt/uhttpd#4
No fix, no CVE:
- nginx (decided not to fix, referred researcher to this discussion)
- Netty (no response) -> GHSA-3fw8-v8qq-g4c3