CVE-2025-67735 Overview
CVE-2025-67735 is a CRLF injection vulnerability in Netty, an asynchronous, event-driven network application framework widely used to build high-performance protocol servers and clients in Java. The flaw affects the io.netty.handler.codec.http.HttpRequestEncoder class in versions prior to 4.1.129.Final and 4.2.8.Final. When the encoder constructs an HTTP request, it fails to sanitize carriage return and line feed characters in the request URI. Attackers can exploit this to perform HTTP request smuggling against downstream servers and proxies. Any application or framework relying on HttpRequestEncoder is exposed [CWE-93].
Critical Impact
Unsanitized CRLF sequences in the request URI allow attackers to inject additional HTTP headers and smuggle secondary requests through Netty-based clients and proxies.
Affected Products
- Netty versions prior to 4.1.129.Final
- Netty versions prior to 4.2.8.Final
- Java applications and frameworks embedding io.netty.handler.codec.http.HttpRequestEncoder
Discovery Timeline
- 2025-12-16 - CVE-2025-67735 published to NVD
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-67735
Vulnerability Analysis
The vulnerability resides in HttpRequestEncoder, the component responsible for serializing outbound HTTP request objects into byte streams. The encoder writes the request URI directly into the request line without filtering CRLF (\r\n) sequences. An attacker who controls any portion of the URI passed to a Netty-based HTTP client can inject line terminators followed by arbitrary headers or even a complete second request.
The practical consequence is HTTP request smuggling. When the encoded request traverses a chain of proxies, load balancers, or back-end servers, intermediaries may interpret the injected content as a separate request. This desynchronization enables cache poisoning, session hijacking, security control bypass, and unauthorized access to internal endpoints behind reverse proxies.
Root Cause
The encoder treats the request URI as an opaque string and writes it verbatim onto the wire. There is no validation that the URI conforms to RFC 3986 or that it excludes the reserved characters \r and \n. Improper neutralization of CRLF sequences in HTTP message construction is the canonical pattern described by [CWE-93].
Attack Vector
Exploitation requires an upstream application that passes attacker-influenced data into the URI field of a Netty HTTP request. Common vectors include API gateways forwarding user-supplied paths, server-side request handlers proxying URLs, and microservices constructing outbound calls from request parameters. The attacker submits a payload containing encoded CRLF characters followed by smuggled headers or a synthetic request body, causing the downstream HTTP parser to process two distinct requests where the client sent one.
No authentication is required when the wrapping application exposes URL construction to unauthenticated users. The vulnerability is exploitable over the network without user interaction.
Detection Methods for CVE-2025-67735
Indicators of Compromise
- Outbound HTTP requests originating from Netty-based services containing raw \r\n sequences in the request line
- Anomalous duplicate or interleaved HTTP requests observed at downstream proxies or web application firewalls
- Unexpected Host header overrides or injected headers in traffic from internal application servers
Detection Strategies
- Inventory Java applications and identify those bundling netty-codec-http at versions below 4.1.129.Final or 4.2.8.Final using software composition analysis tools
- Inspect proxy and gateway logs for HTTP request smuggling signatures, including ambiguous Content-Length and Transfer-Encoding interactions
- Add gateway rules that reject inbound parameters containing CRLF sequences before they reach Netty clients
Monitoring Recommendations
- Enable verbose HTTP request logging at egress proxies to capture full request lines for forensic review
- Alert on dependency manifests (pom.xml, build.gradle) referencing vulnerable Netty versions during CI/CD pipeline scans
- Monitor application telemetry for unexpected outbound destinations that may indicate successful smuggling
How to Mitigate CVE-2025-67735
Immediate Actions Required
- Upgrade Netty to 4.1.129.Final or 4.2.8.Final or later across all affected services
- Audit application code paths that pass user-controlled data into Netty HTTP request URIs and apply explicit CRLF filtering
- Rebuild and redeploy downstream artifacts that shade or repackage the Netty library
Patch Information
The Netty project addressed the issue in versions 4.1.129.Final and 4.2.8.Final. The fix sanitizes the URI within HttpRequestEncoder before it is written to the output buffer. Refer to the Netty GitHub Security Advisory GHSA-84h7-rjj3-6jx4 for the authoritative patch reference.
Workarounds
- Validate and reject any URI input containing \r, \n, %0d, or %0a before constructing Netty HttpRequest objects
- Wrap HttpRequestEncoder usage with a custom encoder layer that enforces RFC 3986 compliance on the URI field
- Deploy a web application firewall rule to strip CRLF sequences from query strings and path parameters at the network edge
# Maven dependency update example
mvn versions:use-dep-version -Dincludes=io.netty:netty-codec-http -DdepVersion=4.1.129.Final -DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
