Listen to this Post
The vulnerability exists in Netty’s Redis codec encoder (RedisEncoder) versions 4.2.12.Final and prior. The core issue is improper neutralization of CRLF sequences (CWE-93). The writeString() method at lines 103-111 writes user-controlled content directly via ByteBufUtil.writeUtf8() without validating for ‘\r’ or ‘\n’ characters. The message constructors (InlineCommandRedisMessage, SimpleStringRedisMessage, ErrorRedisMessage) inherit from AbstractStringRedisMessage, which only checks for null but never validates CRLF. Since the Redis Serialization Protocol (RESP) uses CRLF as command/response delimiter, an attacker who controls string content can inject arbitrary Redis commands or forge fake responses. For example, placing “PING\r\nFLUSHALL” into InlineCommandRedisMessage causes two commands to be sent. The encoder appends its own CRLF after the content, but the injected CRLF already splits the protocol stream. This is analogous to previously fixed Netty CVEs for SMTP (GHSA-jq43-27×9-3v86) and HTTP (GHSA-84h7-rjj3-6jx4), where validation was added. Here, no validation exists either in the encoder or in the constructors. Exploitability requires the application to use codec-redis, place user input into text-based message types, and not sanitize CRLF. Most production Redis clients use binary-safe array format, but inline commands, simple strings, and error messages are vulnerable. Attack scenarios include Redis command injection (e.g., CONFIG SET, FLUSHALL), response poisoning (inject fake bulk strings), and error injection.
Platform: Netty
Version: All prior versions
Vulnerability : CRLF Injection
Severity: Critical
date: 2026-05-07
Prediction: Mid June 2026
What Undercode Say:
Clone Netty and checkout vulnerable version git clone https://github.com/netty/netty.git cd netty git checkout netty-4.2.12.Final Build only required modules ./mvnw install -pl common,buffer,codec,codec-redis,transport -DskipTests Compile PoC (from ) javac -cp "$(find ~/.m2/repository/io/netty -name '.jar' | tr '\n' ':')" RedisEncoderCRLFInjectionPoC.java Run PoC java -cp ".:$(find ~/.m2/repository/io/netty -name '.jar' | tr '\n' ':')" RedisEncoderCRLFInjectionPoC
Exploit:
Inject via InlineCommandRedisMessage key = "foo\r\nCONFIG SET requirepass \"\"\r\nFLUSHALL" Malicious simple string response content = "OK\r\n$6\r\nhacked"
Protection from this CVE
// Validate in AbstractStringRedisMessage constructor
private static void validateContent(String content) {
if (content.indexOf('\r') != -1 || content.indexOf('\n') != -1)
throw new IllegalArgumentException("CRLF not allowed");
}
// Or validate in RedisEncoder.writeString() before writing
Impact:
- Command injection (CONFIG GET/SET, FLUSHALL, SHUTDOWN)
- Authentication bypass (remove requirepass)
- Data destruction & exfiltration via Lua scripts
- Response poisoning for downstream clients
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
