Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Published: 2026-05-13
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netty versions before 4.2.13.Final and 4.1.133.Final allow an attacker to inject carriage‑return line‑feed characters into the Redis encoder's output buffer. Because the Redis Serialization Protocol uses CRLF as a command delimiter, an attacker who can control the content of a Redis message can embed additional Redis commands or fabricate responses. This flaw, identified as a CRLF injection (CWE‑93), can compromise data integrity and cause unintended command execution on the Redis server.

Affected Systems

The vulnerability affects applications that use the Netty framework's Redis codec encoder. Specifically, any software built on io.netty:netty-codec-redis or netty:netty prior to 4.2.13.Final (for the 4.2 line) and 4.1.133.Final (for the 4.1 line) is susceptible. Upgrading to these or later releases removes the flaw.

Risk and Exploitability

The CVSS score of 6.8 classifies this issue as medium severity, and the EPSS score is not available, suggesting limited publicly known exploitation. The flaw is not listed in the CISA KEV catalog. If an attacker can inject data into the RedisEncoder, they could obtain or modify Redis data by issuing arbitrary commands. The likely attack vector is remote, via network traffic that reaches the encode path, and requires that the attacker controls part of the message content.

Generated by OpenCVE AI on May 13, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netty library to version 4.2.13.Final or 4.1.133.Final or newer.
  • Validate or sanitize output from RedisEncoder, ensuring that user supplied data does not contain CRLF characters before encoding.
  • Monitor Redis logs for unexpected command patterns and consider firewall rules to limit unauthorized Redis traffic.

Generated by OpenCVE AI on May 13, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rgrr-p7gp-5xj7 Netty Redis Codec Encoder has a CRLF Injection Issue
History

Tue, 26 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 18 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Io.netty
Io.netty netty-codec-redis
Netty
Netty netty
Vendors & Products Io.netty
Io.netty netty-codec-redis
Netty
Netty netty

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Title Netty: CRLF Injection in Netty Redis Codec Encoder
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Io.netty Netty-codec-redis
Netty Netty
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:17:23.328Z

Reserved: 2026-04-28T17:26:12.086Z

Link: CVE-2026-42586

cve-icon Vulnrichment

Updated: 2026-05-14T18:17:13.327Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:24.323

Modified: 2026-05-18T18:02:43.357

Link: CVE-2026-42586

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T18:20:46Z

Links: CVE-2026-42586 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:00Z

Weaknesses