CVE-2025-59419
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netty | netty | 4.2.7.Final |
| netty | netty | 4.1.128.Final |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an SMTP command injection in the Netty SMTP codec caused by insufficient input validation of Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters, such as email recipients. Specifically, in the class io.netty.handler.codec.smtp.DefaultSmtpRequest, parameters are concatenated directly into SMTP command strings without sanitization. Attackers can inject arbitrary SMTP commands by including CRLF sequences in these parameters, which the server then executes. [2]
How can this vulnerability impact me? :
An attacker who can control SMTP command parameters can inject arbitrary SMTP commands that are sent from the trusted server's IP address. This allows forging of emails that bypass SPF and DKIM authentication, making them appear legitimate. The impact includes the ability to impersonate executives or officials, send false corporate announcements, conduct economic manipulation, disinformation campaigns, and sophisticated phishing attacks that are difficult to detect. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring SMTP traffic for unusual or malformed SMTP commands that include CRLF sequences injected in parameters such as recipient addresses. One approach is to capture SMTP traffic using tools like tcpdump or Wireshark and inspect for SMTP commands containing unexpected CR (\r) and LF (\n) characters within parameters. For example, you can use tcpdump to capture SMTP traffic on port 25: `tcpdump -i any -s 0 -A port 25 | grep -P '\r|\n'` to look for suspicious CRLF injection patterns. Additionally, reviewing application logs for unexpected SMTP command sequences or errors related to SMTP command parsing may help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Netty to a patched version: 4.1.129.Final or later, or 4.2.8.Final or later, where the vulnerability has been fixed. Since no known workarounds exist, applying the patch is critical. Additionally, restrict access to SMTP services to trusted users and networks to reduce exposure, and monitor SMTP traffic for suspicious activity until the upgrade is applied. [2]