Bug 2422568 (CVE-2025-67735) - CVE-2025-67735 netty-codec-http: Netty (netty-codec-http): Request Smuggling via CRLF Injection
Summary: CVE-2025-67735 netty-codec-http: Netty (netty-codec-http): Request Smuggling ...
Keywords:
Status: NEW
Alias: CVE-2025-67735
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2423117 2423118
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-16 01:02 UTC by OSIDB Bzimport
Modified: 2025-12-17 09:21 UTC (History)
111 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-16 01:02:22 UTC 
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
Note You need to log in before you can comment on or make changes to this bug.