CVE-2025-67735
CRLF injection vulnerability in netty-codec-http (Maven)
What is CVE-2025-67735 About?
This is a CRLF injection vulnerability in Netty's `HttpRequestEncoder` when processing request URIs. It allows for request smuggling attacks if the encoder is used without proper URI sanitization. Attackers can leverage this to bypass security controls or access unauthorized resources, with exploitation requiring careful crafting of malicious URIs.
Affected Software
- io.netty:netty-codec-http
- <4.1.129.Final
- >=4.2.0.Alpha1, <4.2.8.Final
Technical Details
The vulnerability stems from the io.netty.handler.codec.http.HttpRequestEncoder directly UTF8 encoding the request URI without sanitization, specifically in how it handles newlines (CRLF) within the URI. If an attacker injects characters into the URI, the HttpRequestEncoder will write these directly into the raw HTTP request line. This can terminate the first request line prematurely and inject a new, separate HTTP request, leading to request smuggling. While HTTP header implementations typically guard against such injections, the URI processing in this encoder lacks similar protections, enabling an attacker to bypass firewalls, caches, or reverse proxies by sending an ambiguous request that is interpreted differently by various components in the application stack.
What is the Impact of CVE-2025-67735?
Successful exploitation may allow attackers to bypass security measures, access unauthorized resources, manipulate web caches, perform Cross-Site Scripting (XSS), or launch other client-side or server-side attacks through request smuggling.
What is the Exploitability of CVE-2025-67735?
Exploitation of this CRLF injection vulnerability requires moderate complexity, as attackers must craft a specific URI that includes CRLF sequences. There are no explicit authentication or privilege requirements to trigger the vulnerability, as it depends on how the HttpRequestEncoder processes user-supplied input typically found in a URI. This vulnerability can be exploited remotely, as an attacker can send a specially crafted HTTP request to a server using the vulnerable HttpRequestEncoder. The primary prerequisite is that the application uses HttpRequestEncoder and does not adequately sanitize or validate the URI before it is passed to the encoder. Risk factors that increase the likelihood of exploitation include public-facing applications that accept unvalidated user input into request URIs and deployment behind reverse proxies or load balancers that may interpret smuggled requests differently.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-67735?
Available Upgrade Options
- io.netty:netty-codec-http
- <4.1.129.Final → Upgrade to 4.1.129.Final
- io.netty:netty-codec-http
- >=4.2.0.Alpha1, <4.2.8.Final → Upgrade to 4.2.8.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/netty/netty
- https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4
- https://osv.dev/vulnerability/GHSA-84h7-rjj3-6jx4
- https://github.com/netty/netty/commit/77e81f1e5944d98b3acf887d3aa443b252752e94
- https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4
What are Similar Vulnerabilities to CVE-2025-67735?
Similar Vulnerabilities: CVE-2023-38546 , CVE-2022-21907 , CVE-2021-42013 , CVE-2020-13936 , CVE-2019-16781
