CVE-2026-42586

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final

Description The Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (r ) characters. Because the Redis Serialization Protocol (RESP) uses CRLF as the command and response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This issue specifically affects the text-based inline command mode and simple string or error response types. The vulnerability is present in the writeString() function of the RedisEncoder class and the constructors of InlineCommandRedisMessage, SimpleStringRedisMessage, and ErrorRedisMessage (which inherit from AbstractStringRedisMessage).

Recommendations Update to version 4.1.133.Final or later. Update to version 4.2.13.Final or later. As a temporary workaround, restrict the use of InlineCommandRedisMessage, SimpleStringRedisMessage, and ErrorRedisMessage or implement manual CRLF sanitization of user input before passing it to these components.