A vulnerability in the Netty library, identified as CVE-2025-59419, was flagged by a security AI agent. Netty is widely used in the Java ecosystem, adopted by major companies like Apple, Meta, and Google. The flaw is a business logic issue in how Netty processes the Simple Mail Transfer Protocol (SMTP). Specifically, the vulnerability arises from the allowance of \r\n in user input, which can lead to command injection within SMTP commands. An attacker can craft an email that manipulates the recipient and even sends forged emails from trusted accounts, bypassing standard security measures like SPF, DKIM, and DMARC. The security implications are significant. The flaw can enable high-stakes attacks such as Business Email Compromise (BEC) and sophisticated phishing attempts. The article highlights a debate among Netty maintainers about whether the library should enforce input validation or if that responsibility lies with developers using the library. Ultimately, the decision was made to implement a fix, drawing on existing practices within the library and precedents set by similar vulnerabilities in other well-used libraries. The discovery of this flaw was not a traditional hunt for bugs; it was identified autonomously by an AI tool, marking a shift in how vulnerabilities are found and addressed. The author reflects on the implications of relying on AI for security, emphasizing that the landscape of software security is changing rapidly, necessitating more automated solutions to keep up with the complexity of modern software systems.