6.8

CVE-2026-42586

Netty: CRLF Injection in Netty Redis Codec Encoder

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellernetty
Produkt netty
Version >= 4.2.0.Alpha1, < 4.2.13.Final
Status affected
Version < 4.1.133.Final
Status affected
Herstellerio.netty
Produkt netty-codec-redis
Version >= 4.2.0.Alpha1, < 4.2.13.Final
Status affected
Version < 4.1.133.Final
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.05
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 6.8 2.5 4.2
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.