A security vulnerability was detected in the classic Application Load Balancer service prior to April 26, 2025.

What should I do?

No customer action is required. The issue was resolved in the Classic Application Load Balancer service on April 26, 2025.

What vulnerabilities are being addressed?

CVE-2025-4600 allowed attackers to smuggle requests to classic Application Load Balancers due to incorrect parsing of oversized chunk bodies. When parsing the request body of an HTTP request using chunked transfer-encoding, the classic Application Load Balancer allows oversized chunk bodies. Consequently, it was feasible to hide bytes within this ignored trailing data that an upstream HTTP server might incorrectly interpret as a line terminator. This vulnerability was addressed within the classic Application Load Balancer service on April 26, 2025 through improved input validation and parsing logic.

We're here to help

If you have any questions or require assistance, contact Cloud Customer Care.