CVE-2025-59419 — CRLF Injection in Netty

CWE-93 — CRLF Injection CWE-78 — OS Command Injection8 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 52.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netty Debian Netty

Timeline

PublishedOct 15

Latest updateJan 15

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods s…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5netty/netty< 4.2.7.Final+1

▶debiandebian/netty< netty 1:4.1.48-7+deb12u2 (bookworm)

▶Debiannetty/netty< 1:4.1.48-4+deb11u3+3

🔴Vulnerability Details

OSV

CVE-2025-59419: Netty is an asynchronous, event-driven network application framework↗2025-10-15

▶

GHSA

Netty has SMTP Command Injection Vulnerability that Allows Email Forgery↗2025-10-15

▶

OSV

Netty has SMTP Command Injection Vulnerability that Allows Email Forgery↗2025-10-15

▶

📋Vendor Advisories

Oracle

Oracle Oracle GoldenGate Risk Matrix: Java Delivery (Netty) — CVE-2025-59419↗2026-01-15

▶

Ubuntu

Netty vulnerability↗2025-10-28

▶

Red Hat

io.netty/netty-codec-smtp: Netty netty-codec-smtp SMTP Command Injection↗2025-10-15

▶

Debian

CVE-2025-59419: netty - Netty is an asynchronous, event-driven network application framework. In version...↗2025

▶