Vulnerability	Vulnerable Version
M CRLF Injection Affected versions of this package are vulnerable to CRLF Injection in the `newInitialMessage` function of `HttpProxyHandler` when header validation is explicitly disabled and user-influenced `outboundHeaders` are added without sanitization. An attacker can inject arbitrary HTTP headers into proxy requests by supplying malicious header values containing CRLF sequences. Notes: This is only exploitable if the application uses `HttpProxyHandler` with user-influenced `outboundHeaders` and does not perform its own CRLF sanitization on header values. This is caused due to an incomplete fix for CVE-2025-67735. How to fix CRLF Injection? Upgrade `io.netty:netty-handler-proxy` to version 4.1.133.Final, 4.2.13.Final or higher.	[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)

CRLF Injection

Affected versions of this package are vulnerable to CRLF Injection in the newInitialMessage function of HttpProxyHandler when header validation is explicitly disabled and user-influenced outboundHeaders are added without sanitization. An attacker can inject arbitrary HTTP headers into proxy requests by supplying malicious header values containing CRLF sequences.

Notes:

This is only exploitable if the application uses HttpProxyHandler with user-influenced outboundHeaders and does not perform its own CRLF sanitization on header values.
This is caused due to an incomplete fix for CVE-2025-67735.

How to fix CRLF Injection?

Upgrade io.netty:netty-handler-proxy to version 4.1.133.Final, 4.2.13.Final or higher.

[,4.1.133.Final)[4.2.0.Alpha1,4.2.13.Final)

Go back to all versions of this package