CVE-2025-67735
CRLF Injection in Netty HttpRequestEncoder Enables Request Smuggling
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netty | netty | 4.1.128.Final |
| netty | netty | 4.2.7.Final |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-67735 is a CRLF (Carriage Return Line Feed) injection vulnerability in the Netty framework's HttpRequestEncoder class. The vulnerability occurs because the encoder writes the HTTP request URI without properly sanitizing it, allowing an attacker to inject CRLF sequences into the request line. This enables HTTP request smuggling attacks, where malicious requests can be smuggled through the server pipeline, potentially bypassing security controls or causing unexpected behavior in downstream servers. The issue affects versions prior to 4.1.129.Final and 4.2.8.Final and was fixed in those versions. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform HTTP request smuggling by injecting CRLF sequences into the request URI. This can lead to bypassing security controls, causing unexpected behavior in downstream servers, limited data exposure, and possible data modification. The attack can be performed remotely without any privileges or user interaction, making it relatively easy to exploit if the vulnerable versions of HttpRequestEncoder are used without proper URI sanitization. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying HTTP requests with CRLF sequences injected into the URI, which can be used for request smuggling. You can monitor network traffic for suspicious HTTP request URIs containing encoded or raw CRLF characters (%0d%0a or \r\n). Using tools like tcpdump or Wireshark, you can filter HTTP requests and inspect the URI fields. For example, a tcpdump command to capture HTTP traffic could be: tcpdump -A -s 0 'tcp port 80' | grep -iE 'GET|POST' and then manually inspect for CRLF sequences in the URI. Additionally, using intrusion detection systems (IDS) with rules to detect CRLF injection patterns in HTTP requests can help. However, no specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Netty framework to versions 4.1.129.Final or later, or 4.2.8.Final or later, where the vulnerability has been patched. Additionally, ensure that any application or framework using HttpRequestEncoder performs proper sanitization and validation of the request URI to prevent CRLF injection. If upgrading is not immediately possible, implement input validation to filter out CRLF sequences in URIs before they reach the encoder. [1]