CRLF Injection Vulnerability in Netty Network Application Framework
CVE-2025-67735

6.5MEDIUM

Key Information:

Vendor: Netty
Status: Netty
Vendor: CVE Published:; 16 December 2025

What is CVE-2025-67735?

The Netty Network Application Framework is vulnerable to a CRLF injection caused by improper handling of request URIs in the HttpRequestEncoder component. This vulnerability, present in versions prior to 4.1.129.Final and 4.2.8.Final, allows attackers to exploit request smuggling techniques if the URI is not properly sanitized. Applications utilizing this framework may inadvertently become targets, thus necessitating an upgrade to the fixed versions to mitigate potential risks.

Affected Version(s)

netty >= 4.2.0.Alpha1, < 4.2.8.Final < 4.2.0.Alpha1, 4.2.8.Final

netty < 4.1.129.Final < 4.1.129.Final

References

https://github.com/netty/netty/security/advisories/GHSA-8...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Dec 11, 2025

JSON