CVE-2025-67735

Summary

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the URI. Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

Affected Software

VendorProductVersion RangeStatus
nettynetty>= 4.2.0.Alpha1, < 4.2.8.Finalaffected
nettynetty< 4.1.129.Finalaffected

Weaknesses

  • CWE-93: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References