#VU117297 Command Injection in Netty - CVE-2025-59419
Vulnerability identifier: #VU117297
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-77
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Netty
Universal components / Libraries /
Libraries used by multiple products
Vendor: Netty project
Description
The vulnerability allows a remote attacker to execute arbitrary SMTP commands.
The vulnerability exists due to insufficient input validation in the SMTP codec. A remote attacker can pass specially crafted data to the application and forge arbitrary emails from the trusted server.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Netty: 4.1, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.1.17, 4.1.18, 4.1.19, 4.1.20, 4.1.21, 4.1.22, 4.1.23, 4.1.24, 4.1.25, 4.1.26, 4.1.27, 4.1.28, 4.1.29, 4.1.30, 4.1.31, 4.1.32, 4.1.33, 4.1.34, 4.1.35, 4.1.36, 4.1.37, 4.1.38, 4.1.39, 4.1.40, 4.1.41, 4.1.42, 4.1.43, 4.1.44, 4.1.45, 4.1.46, 4.1.47, 4.1.48, 4.1.49, 4.1.50, 4.1.51, 4.1.52, 4.1.53, 4.1.54, 4.1.55, 4.1.56, 4.1.57, 4.1.58, 4.1.59, 4.1.60, 4.1.61, 4.1.62, 4.1.63, 4.1.64, 4.1.65, 4.1.66, 4.1.67, 4.1.68, 4.1.69, 4.1.70, 4.1.71, 4.1.72, 4.1.73, 4.1.74, 4.1.75, 4.1.76, 4.1.77, 4.1.78, 4.1.79, 4.1.80, 4.1.81, 4.1.82, 4.1.83, 4.1.84, 4.1.85, 4.1.86, 4.1.87, 4.1.88, 4.1.89, 4.1.90, 4.1.91, 4.1.92, 4.1.93, 4.1.94, 4.1.95, 4.1.96, 4.1.97, 4.1.98, 4.1.99, 4.1.100, 4.1.101, 4.1.102, 4.1.103, 4.1.104, 4.1.105, 4.1.106, 4.1.107, 4.1.108, 4.1.109, 4.1.110, 4.1.111, 4.1.112, 4.1.113, 4.1.114, 4.1.115, 4.1.116, 4.1.117, 4.1.118, 4.1.119, 4.1.120, 4.1.121, 4.1.122, 4.1.123, 4.1.124, 4.1.125, 4.1.126, 4.1.127, 4.2.0, 4.2.0 RC1, 4.2.0 RC2, 4.2.0 RC3, 4.2.0 RC4, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6
External links
https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
