CVE-2025-59419: Netty has SMTP Command Injection Vulnerability that Allows Email Forgery
(updated )
An SMTP Command Injection (CRLF Injection) vulnerability in Netty’s SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications.
References
- gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c
- github.com/advisories/GHSA-jq43-27x9-3v86
- github.com/netty/netty
- github.com/netty/netty/commit/1782e8c2060a244c4d4e6f9d9112d5517ca05120
- github.com/netty/netty/commit/2b3fddd3339cde1601f622b9ce5e54c39f24c3f9
- github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86
- nvd.nist.gov/vuln/detail/CVE-2025-59419
- www.depthfirst.com/post/our-ai-agent-found-a-netty-zero-day-that-bypasses-email-authentication-the-story-of-cve-2025-59419
Code Behaviors & Features
Detect and mitigate CVE-2025-59419 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →