CVE-2025-67735 — CRLF Injection in Netty

CWE-93 — CRLF Injection8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 91.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netty Debian Netty

Timeline

PublishedDec 16

Latest updateJan 15

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.1…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages4 packages

▶CVEListV5netty/netty< 4.1.129.Final+1

▶NVDnetty/netty4.2.0 — 4.2.8+1

▶debiandebian/netty< netty 1:4.1.48-7+deb12u2 (bookworm)

▶Debiannetty/netty< 1:4.1.48-4+deb11u3+3

🔴Vulnerability Details

OSV

CVE-2025-67735: Netty is an asynchronous, event-driven network application framework↗2025-12-16

▶

GHSA

Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder↗2025-12-15

▶

OSV

Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder↗2025-12-15

▶

📋Vendor Advisories

Oracle

Oracle Oracle Database Server Risk Matrix: Oracle Graal Development Kit for Micronaut (Nimbus JOSE+JWT) — CVE-2025-67735↗2026-01-15

▶

Red Hat

netty-codec-http: Netty (netty-codec-http): Request Smuggling via CRLF Injection↗2025-12-16

▶

Debian

CVE-2025-67735: netty - Netty is an asynchronous, event-driven network application framework. In version...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-67735 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶