CVE-2025-67735

Aliases:GHSA-84h7-rjj3-6jx4

Advisory lineage Upstream: 0 Downstream: 6

Downstream

DEBIAN-CVE-2025-67735 DLA-4519-1 DSA-6160-1 OPENSUSE-SU-2025:15824-1 SUSE-SU-2025:4489-1 UBUNTU-CVE-2025-67735

Analyzed

Published: 16 Dec 2025, 00:19

Last modified:16 Dec 2025, 14:26

Vulnerability Summary

Overall Risk (default)

medium

36/100

CVSS Score

6.5 MEDIUM

v3.1 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

16 Dec 2025, 00:19

Published

Vulnerability first disclosed

16 Dec 2025, 14:26

Last Modified

Vulnerability information updated

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

CVSS Metrics

v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.02%• Percentile: 7%

Techniques & Countermeasures

CWE-93•Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Affected Systems

io.netty•netty-codec-http
≥ 4.2.0.Alpha1, < 4.2.8.Final | < 4.1.129.Final
netty•netty
≥ 4.2.0.Alpha1, < 4.2.8.Final | < 4.1.129.Final | < 4.1.129 | ≥ 4.2.0, < 4.2.8