CVE-2025-67735
Unknown Unknown - Not Provided
CRLF Injection in Netty HttpRequestEncoder Enables Request Smuggling

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: GitHub, Inc.

Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67735
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
netty netty 4.1.128.Final
netty netty 4.2.7.Final
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-67735 is a CRLF (Carriage Return Line Feed) injection vulnerability in the Netty framework's HttpRequestEncoder class. The vulnerability occurs because the encoder writes the HTTP request URI without properly sanitizing it, allowing an attacker to inject CRLF sequences into the request line. This enables HTTP request smuggling attacks, where malicious requests can be smuggled through the server pipeline, potentially bypassing security controls or causing unexpected behavior in downstream servers. The issue affects versions prior to 4.1.129.Final and 4.2.8.Final and was fixed in those versions. [1]

Impact Analysis

This vulnerability can allow an attacker to perform HTTP request smuggling by injecting CRLF sequences into the request URI. This can lead to bypassing security controls, causing unexpected behavior in downstream servers, limited data exposure, and possible data modification. The attack can be performed remotely without any privileges or user interaction, making it relatively easy to exploit if the vulnerable versions of HttpRequestEncoder are used without proper URI sanitization. [1]

Detection Guidance

Detection of this vulnerability involves identifying HTTP requests with CRLF sequences injected into the URI, which can be used for request smuggling. You can monitor network traffic for suspicious HTTP request URIs containing encoded or raw CRLF characters (%0d%0a or \r\n). Using tools like tcpdump or Wireshark, you can filter HTTP requests and inspect the URI fields. For example, a tcpdump command to capture HTTP traffic could be: tcpdump -A -s 0 'tcp port 80' | grep -iE 'GET|POST' and then manually inspect for CRLF sequences in the URI. Additionally, using intrusion detection systems (IDS) with rules to detect CRLF injection patterns in HTTP requests can help. However, no specific commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Netty framework to versions 4.1.129.Final or later, or 4.2.8.Final or later, where the vulnerability has been patched. Additionally, ensure that any application or framework using HttpRequestEncoder performs proper sanitization and validation of the request URI to prevent CRLF injection. If upgrading is not immediately possible, implement input validation to filter out CRLF sequences in URIs before they reach the encoder. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart