CNNVD-202510-2089 Information
CNNVD ID
CNNVD-202510-2089
Related CVE
- CNNVD Published: 2025-10-15
Description (Chinese)
Netty是Netty社区的一款非阻塞I/O客户端-服务器框架,它主要用于开发Java网络应用程序,如协议服务器和客户端等。 Netty 4.1.128.Final之前版本和4.2.7.Final之前版本存在注入漏洞,该漏洞源于对用户提供的参数中的回车和换行字符输入验证不足,可能导致SMTP命令注入攻击。
Description (English)
Netty is a non-stop I/O client-server framework for Netty ’ s community, which is used mainly to develop Java web applications, such as protocol servers and clients. Netty 4.1.128.Final ’ s previous version and 4.2.7.Final ’ s previous version had an injection loophole, which stemmed from the lack of validation of the return and change-of-line characters in the parameters provided by the user, which could lead to an SMTP command injection attack.
Hazard Level
High
Vulnerability Type
注入
Affected Vendor
Netty
Published
2025-10-15
Last Modified
2026-02-24
References
https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86 https://github.com/netty/netty/commit/1782e8c2060a244c4d4e6f9d9112d5517ca05120 https://vigilance.fr/vulnerability/Netty-SMTP-command-execution-via-SMTP-Codec-Carriage-Return-48620 https://www.oracle.com/security-alerts/cpujan2026.html https://access.redhat.com/security/cve/cve-2025-59419
Patch
https://github.com/netty/netty/tags
Share on: