CVE-2025-4600 is a high-severity vulnerability identified in the Google Cloud Classic Application Load Balancer, classified under CWE-20 (Improper Input Validation). The vulnerability arises from improper handling of chunked-encoded HTTP requests, specifically allowing request smuggling attacks. In HTTP/1.1, chunked transfer encoding enables a client to send data in a series of chunks. If the load balancer fails to correctly parse or validate the chunked data, it can lead to a scenario where an attacker crafts malicious requests that are interpreted differently by the load balancer and the backend servers. This discrepancy can allow attackers to smuggle requests, bypass security controls, poison caches, or perform unauthorized actions on backend services. The root cause was the acceptance of stray data after a chunk, which was not properly disallowed, leading to ambiguity in request parsing. Google addressed this issue by updating the Classic Application Load Balancer to reject such malformed chunked requests, effectively closing the attack vector. The vulnerability was published on May 16, 2025, with a CVSS 4.0 score of 8.7 (high severity), indicating network-level exploitability without authentication or user interaction, and significant impact on integrity and availability. Importantly, the vulnerability is no longer exploitable in Classic Application Load Balancer services updated after April 26, 2025. There are no known exploits in the wild at the time of publication, and no patch links were provided, likely because the fix was integrated into the service itself. This vulnerability highlights the critical importance of strict input validation in load balancers, which serve as gatekeepers to backend infrastructure in cloud environments.

For European organizations leveraging Google Cloud's Classic Application Load Balancer, this vulnerability could have allowed attackers to bypass security controls and manipulate backend server requests, potentially leading to unauthorized access, data tampering, or service disruption. The impact on confidentiality is limited as the vulnerability primarily affects request integrity and availability. However, the ability to smuggle requests could facilitate further attacks such as web cache poisoning, session hijacking, or injection attacks, which could indirectly compromise sensitive data. Given the high network-level exploitability without authentication, any exposed Classic Application Load Balancer instances running unpatched versions before April 26, 2025, are at risk. European organizations relying on this service for critical applications could face operational disruptions or reputational damage if exploited. Since the vulnerability is fixed in updated services, the risk is mitigated if organizations have adopted the latest service versions. Nevertheless, legacy systems or configurations that have not transitioned away from the Classic Application Load Balancer may remain vulnerable. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially from sophisticated attackers targeting cloud infrastructure.

European organizations should verify whether their Google Cloud environments still utilize the Classic Application Load Balancer and confirm the service version date. Since the vulnerability is fixed in service versions updated after April 26, 2025, migrating workloads to the updated load balancer or newer Google Cloud load balancing solutions is the primary mitigation. For legacy systems that cannot be immediately migrated, organizations should implement strict ingress filtering and web application firewall (WAF) rules to detect and block malformed chunked HTTP requests. Monitoring network traffic for anomalous chunked transfer encoding patterns can help identify attempted exploitation. Additionally, organizations should audit backend server logs for irregular request patterns indicative of request smuggling attempts. Employing layered security controls, including endpoint protection and intrusion detection systems, can further reduce risk. Finally, maintaining up-to-date asset inventories and cloud configuration management will ensure timely identification and remediation of vulnerable components.