CVE-2025-67735

Name	CVE-2025-67735
Description	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
netty (PTS)	bullseye, bullseye (security)	1:4.1.48-4+deb11u2	vulnerable
	bookworm, bookworm (security)	1:4.1.48-7+deb12u1	vulnerable
	trixie	1:4.1.48-10	vulnerable
	forky, sid	1:4.1.48-14	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
netty	source	(unstable)	(unfixed)

https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4