DirectorySecurity AdvisoriesPricing
/
Sign in
Security Advisories

CVE-2025-67735

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-67735

Severity

6.5

Medium

CVSS V3

Summary

Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder

Description

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the URI. Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2025-67735
  • https://github.com/advisories/GHSA-84h7-rjj3-6jx4
  • https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67735.json
  • https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4

Affected packages

The trusted source for open source

Talk to an expert
© 2025 Chainguard. All Rights Reserved.
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal