CVE-2025-4600 is a high-severity vulnerability classified under CWE-444, which pertains to inconsistent interpretation of HTTP requests, commonly known as HTTP Request/Response Smuggling. This vulnerability was identified in the Google Cloud Classic Application Load Balancer, a service that distributes incoming HTTP(S) traffic to backend servers. The root cause of the issue was improper handling of chunked-encoded HTTP requests, specifically allowing attackers to craft malicious HTTP requests containing stray data after a chunk. Such malformed requests could be interpreted differently by the load balancer and the backend servers, enabling attackers to smuggle requests that bypass security controls, poison web caches, or hijack user sessions. The vulnerability was addressed by Google through a fix that disallows stray data after a chunk in HTTP requests, effectively preventing the inconsistent parsing that led to the smuggling attack vector. The fix was applied as of April 26, 2025, and the Classic Application Load Balancer service versions after this date are not vulnerable. The CVSS 4.0 score of 8.7 reflects a high severity due to the vulnerability's network attack vector, low complexity, no required privileges or user interaction, and its potential to impact the integrity and availability of backend services. Although no known exploits have been observed in the wild, the nature of HTTP request smuggling vulnerabilities historically allows attackers to perform stealthy and impactful attacks on web infrastructure.

For European organizations leveraging Google Cloud's Classic Application Load Balancer, this vulnerability could have allowed attackers to bypass security controls, manipulate backend server behavior, and potentially compromise the integrity and availability of web applications. This could lead to unauthorized access, session hijacking, cache poisoning, or denial of service conditions. Given the widespread adoption of Google Cloud services in Europe, particularly among enterprises and public sector entities, exploitation could disrupt critical services and damage trust. However, since the vulnerability has been patched and no active exploits are reported, the immediate risk is mitigated for organizations that have updated or are using the non-vulnerable versions. Organizations that have not migrated away from the Classic Application Load Balancer or have legacy configurations might still be at risk if they have not applied the fix or moved to newer load balancing solutions.

European organizations should verify their use of Google Cloud Classic Application Load Balancer and confirm that their instances are running versions updated after April 26, 2025, when the patch was applied. For those still using the Classic Application Load Balancer, immediate migration to the updated service or alternative Google Cloud load balancing solutions is recommended. Network monitoring should be enhanced to detect anomalous HTTP request patterns indicative of request smuggling attempts. Web application firewalls (WAFs) should be configured to inspect and block malformed chunked HTTP requests. Additionally, backend servers should be hardened to handle unexpected HTTP request formats gracefully and log suspicious activities. Organizations should also review their incident response plans to include scenarios involving HTTP request smuggling and ensure timely patch management processes for cloud services.