VYPR
Moderate severityOSV Advisory· Published Dec 16, 2025· Updated Dec 16, 2025

Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder

CVE-2025-67735

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the URI. Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.netty:netty-codec-httpMaven
>= 4.2.0.Alpha1, < 4.2.8.Final4.2.8.Final
io.netty:netty-codec-httpMaven
< 4.1.129.Final4.1.129.Final

Affected products

529

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.