Netty has SMTP Command Injection Vulnerability that Allows Email Forgery

Summary An SMTP Command Injection CRLF Injection vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters e.g., an email recipient to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to...

CVE-2025-59419

Netty CVE-2025-59419 is a CRLF injection vulnerability in the SMTP codec. In Netty versions prior to 4.1.128.Final and 4.2.7.Final, io.netty.handler.codec.smtp.DefaultSmtpRequest concatenates parameters into SMTP commands without sanitization, enabling an attacker-controlled CRLF sequence in reci...