CVE-2025-67735

Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

INFO

Published Date :

2025-12-16T00:19:11.287Z

Last Modified :

2025-12-16T00:19:11.287Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-67735 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67735.

URL	Resource
https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact