CVE-2025-67735

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.129.Final Netty versions prior to 4.2.8.Final

Description Netty is an asynchronous, event-driven network application framework. The io.netty.handler.codec.http.HttpRequestEncoder is susceptible to a CRLF injection when constructing a request URI, potentially leading to request smuggling. This occurs when HttpRequestEncoder is used without proper sanitization of the URI. Any application or framework utilizing HttpRequestEncoder may be vulnerable to abuse through this CRLF injection, enabling request smuggling. The vulnerable component is the HttpRequestEncoder.

Recommendations Update to Netty version 4.1.129.Final or later. Update to Netty version 4.2.8.Final or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-93

Related Identifiers

BDU:2026-01632

CLEANSTART-2026-CF62516

CLEANSTART-2026-DC73689

CLEANSTART-2026-DD05788

CLEANSTART-2026-EZ90321

CLEANSTART-2026-GQ14179

CLEANSTART-2026-IA43044

CLEANSTART-2026-JU62349

CLEANSTART-2026-JW30455

CLEANSTART-2026-KU61465

CLEANSTART-2026-LE11246

CLEANSTART-2026-MM00120

CLEANSTART-2026-RN56220

CLEANSTART-2026-SQ91016

CLEANSTART-2026-SV95049

CLEANSTART-2026-TZ04509

CLEANSTART-2026-VH41554

CLEANSTART-2026-WG59699

CLEANSTART-2026-WK99982

CVE-2025-67735

GHSA-84H7-RJJ3-6JX4

OPENSUSE-SU-2025:15824-1

SUSE-SU-2025:4489-1

Affected Products

Debian

Netty

Red Os

CVE-2025-67735

Weakness Enumeration

Related Identifiers

Affected Products

References · 394