CVE-2025-67735 Overview
CVE-2025-67735 is an HTTP Request Smuggling vulnerability in Netty, an asynchronous, event-driven network application framework widely used for building high-performance network applications. The vulnerability exists in the io.netty.handler.codec.http.HttpRequestEncoder component, which fails to properly sanitize request URIs, allowing attackers to inject CRLF (Carriage Return Line Feed) sequences. This injection leads to HTTP request smuggling attacks when applications use HttpRequestEncoder without implementing additional URI sanitization.
Critical Impact
Attackers can exploit this CRLF injection vulnerability to perform HTTP request smuggling attacks, potentially bypassing security controls, poisoning web caches, hijacking user sessions, or accessing unauthorized resources on backend systems.
Affected Products
- Netty versions prior to 4.1.129.Final
- Netty versions prior to 4.2.8.Final
- Any application or framework using HttpRequestEncoder without proper URI sanitization
Discovery Timeline
- 2025-12-16 - CVE CVE-2025-67735 published to NVD
- 2026-01-02 - Last updated in NVD database
Technical Details for CVE-2025-67735
Vulnerability Analysis
This vulnerability is classified as CWE-93 (Improper Neutralization of CRLF Sequences). The root issue lies in how Netty's HttpRequestEncoder constructs HTTP requests without adequately validating or encoding the request URI. When a malicious URI containing CRLF characters (\r\n) is passed to the encoder, these characters are not sanitized and are included verbatim in the outgoing HTTP request.
HTTP request smuggling occurs because different HTTP processors (such as frontend proxies and backend servers) may interpret the injected CRLF sequences differently. An attacker can craft a URI that, when processed, causes the HTTP message boundaries to be misinterpreted, effectively "smuggling" a second request within the first. This can be exploited over the network without authentication.
Root Cause
The HttpRequestEncoder class does not perform adequate input validation on the request URI before constructing the HTTP request line. CRLF characters in the URI are not escaped or rejected, allowing attackers to inject arbitrary HTTP headers or even complete HTTP requests into the encoded output.
Attack Vector
The attack is executed over the network by providing a crafted URI containing CRLF sequences to any application using Netty's HttpRequestEncoder. When the encoder constructs the HTTP request, the injected CRLF characters terminate the request line prematurely and begin injecting attacker-controlled content. This can include additional headers, a new request body, or an entirely separate HTTP request.
The vulnerability enables various attack scenarios including cache poisoning, session hijacking, web application firewall bypass, and unauthorized access to backend resources. Since Netty is a foundational library used by many Java applications and frameworks, the attack surface is broad.
Detection Methods for CVE-2025-67735
Indicators of Compromise
- Unusual HTTP requests containing CRLF sequences (%0d%0a, \r\n) in URI paths or parameters
- Web server logs showing malformed or duplicate HTTP requests from single connections
- Unexpected backend responses or cache behavior inconsistencies
- Application logs indicating request parsing errors or protocol violations
Detection Strategies
- Deploy web application firewalls (WAF) with rules to detect and block CRLF injection attempts in HTTP requests
- Implement HTTP request validation at ingress points to identify malformed URIs containing control characters
- Monitor for anomalies in HTTP traffic patterns that may indicate request smuggling attempts
- Utilize SentinelOne Singularity Platform to detect suspicious network activity and exploitation attempts targeting Netty-based applications
Monitoring Recommendations
- Enable detailed HTTP access logging on all web servers and reverse proxies to capture full request URIs
- Implement alerting for HTTP protocol violations or parsing errors at the infrastructure level
- Monitor for desynchronization between frontend and backend request counts which may indicate successful smuggling
- Review application dependencies to identify Netty usage and prioritize patching accordingly
How to Mitigate CVE-2025-67735
Immediate Actions Required
- Upgrade Netty to version 4.1.129.Final or 4.2.8.Final or later immediately
- Identify all applications and services using vulnerable Netty versions in your environment
- Implement URI validation and sanitization at the application level as a defense-in-depth measure
- Deploy WAF rules to block requests containing CRLF sequences in URIs pending patch deployment
Patch Information
The Netty project has released fixed versions that address this CRLF injection vulnerability. Version 4.1.129.Final fixes the issue for the 4.1.x branch, while version 4.2.8.Final fixes it for the 4.2.x branch. Organizations should update their Netty dependencies to these versions or later. For additional details, refer to the GitHub Security Advisory.
Workarounds
- Implement application-level URI validation to reject or encode CRLF characters before passing URIs to HttpRequestEncoder
- Deploy reverse proxy configurations that normalize and validate URIs before forwarding to backend Netty applications
- Use allowlist-based URI validation to restrict URIs to known-safe character sets
- Consider implementing request smuggling detection at the infrastructure level until patches can be applied
# Example Maven dependency update to patched version
# Update pom.xml Netty dependency to fixed version:
# <dependency>
# <groupId>io.netty</groupId>
# <artifactId>netty-all</artifactId>
# <version>4.1.129.Final</version>
# </dependency>
# Verify current Netty version in your project
mvn dependency:tree | grep netty
# Update to patched version
mvn versions:use-latest-versions -Dincludes=io.netty
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
