Bug#1118282: netty: CVE-2025-59419

[Salvatore Bonaccorso]

Source: netty
Version: 1:4.1.48-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1:4.1.48-7+deb12u1
Control: found -1 1:4.1.48-7

Hi,

The following vulnerability was published for netty.

CVE-2025-59419[0]:
| Netty is an asynchronous, event-driven network application
| framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the
| SMTP codec in Netty contains an SMTP command injection vulnerability
| due to insufficient input validation for Carriage Return (\r) and
| Line Feed (\n) characters in user-supplied parameters. The
| vulnerability exists in
| io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are
| directly concatenated into the SMTP command string without
| sanitization. When methods such as SmtpRequests.rcpt(recipient) are
| called with a malicious string containing CRLF sequences, attackers
| can inject arbitrary SMTP commands. Because the injected commands
| are sent from the server's trusted IP address, resulting emails will
| likely pass SPF and DKIM authentication checks, making them appear
| legitimate. This allows remote attackers who can control SMTP
| command parameters (such as email recipients) to forge arbitrary
| emails from the trusted server, potentially impersonating executives
| and forging high-stakes corporate communications. This issue has
| been patched in versions 4.1.129.Final and 4.2.8.Final. No known
| workarounds exist.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-59419
    https://www.cve.org/CVERecord?id=CVE-2025-59419
[1] https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86
[2] https://github.com/netty/netty/commit/2b3fddd3339cde1601f622b9ce5e54c39f24c3f9

Regards,
Salvatore