diff --git a/build.gradle b/build.gradle
index 365d62e..21c385d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -64,6 +64,14 @@ subprojects {
         annotationProcessor(libs.lombok)
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
+
+        // Security: override transitive netty-codec-http to fix CVE-2025-67735 (CRLF injection)
+        constraints {
+            implementation('io.netty:netty-codec-http') {
+                version { require libs.versions.netty.get() }
+                because 'CVE-2025-67735: CRLF injection in HttpRequestEncoder'
+            }
+        }
     }
 
     checkstyle {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index e8a30c9..527cc69 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -11,6 +11,7 @@ lombok = "1.18.42"
 commons-codec = "1.20.0"
 find-bugs = "3.0.2"
 gradle-nexus-publish-plugin = "2.0.0"
+netty = "4.2.8.Final"
 datadog-statsd = "4.4.5"
 # Verify
 checkstyle = "8.44"