CVE-2025-67735

NameCVE-2025-67735
DescriptionNetty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1123606

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
netty (PTS)bullseye (security), bullseye1:4.1.48-4+deb11u2vulnerable
bookworm, bookworm (security)1:4.1.48-7+deb12u1vulnerable
trixie1:4.1.48-10vulnerable
forky, sid1:4.1.48-14vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nettysource(unstable)(unfixed)1123606

Notes

https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4
https://github.com/netty/netty/commit/77e81f1e5944d98b3acf887d3aa443b252752e94 (netty-4.1.129.Final)
Search for package or bug name: Reporting problems