Source: netty Version: 1:4.1.48-10 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1:4.1.48-7+deb12u1 Control: found -1 1:4.1.48-7
Hi, The following vulnerability was published for netty. CVE-2025-59419[0]: | Netty is an asynchronous, event-driven network application | framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the | SMTP codec in Netty contains an SMTP command injection vulnerability | due to insufficient input validation for Carriage Return (\r) and | Line Feed (\n) characters in user-supplied parameters. The | vulnerability exists in | io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are | directly concatenated into the SMTP command string without | sanitization. When methods such as SmtpRequests.rcpt(recipient) are | called with a malicious string containing CRLF sequences, attackers | can inject arbitrary SMTP commands. Because the injected commands | are sent from the server's trusted IP address, resulting emails will | likely pass SPF and DKIM authentication checks, making them appear | legitimate. This allows remote attackers who can control SMTP | command parameters (such as email recipients) to forge arbitrary | emails from the trusted server, potentially impersonating executives | and forging high-stakes corporate communications. This issue has | been patched in versions 4.1.129.Final and 4.2.8.Final. No known | workarounds exist. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59419 https://www.cve.org/CVERecord?id=CVE-2025-59419 [1] https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86 [2] https://github.com/netty/netty/commit/2b3fddd3339cde1601f622b9ce5e54c39f24c3f9 Regards, Salvatore
