CVE-2025-67735

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:netty:netty::::::::
	cpe:2.3:a:netty:netty::::::::

History

02 Jan 2026, 18:50

Type	Values Removed	Values Added
First Time		Netty netty Netty
CPE		cpe:2.3:a:netty:netty::::::::
References	~~() https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4 -~~	() https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4 - Exploit, Vendor Advisory

16 Dec 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-16 01:15

Updated : 2026-01-02 18:50

NVD link : CVE-2025-67735

Mitre link : CVE-2025-67735

CVE.ORG link : CVE-2025-67735

JSON object : View

Products Affected

netty

netty

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

6.5 /10