CWE-113
AllowedImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Abstraction: Variant · Status: Incomplete
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
177 vulnerabilities reference this CWE, most recent first.
GHSA-7P4C-JF2W-HC3W
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
{
"affected": [],
"aliases": [
"CVE-2017-17742"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-03T22:29:00Z",
"severity": "MODERATE"
},
"details": "Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.",
"id": "GHSA-7p4c-jf2w-hc3w",
"modified": "2022-05-13T01:23:20Z",
"published": "2022-05-13T01:23:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17742"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3685-1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103684"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1042004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7WC8-WVC4-M498
Vulnerability from github – Published: 2026-05-05 18:35 – Updated: 2026-05-13 14:18Impact
The Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks.
For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe.
Patches
Upgrade to version 2.6.1.
Workarounds
Do not pass untrusted data to the Response.set_cookie() method.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "microdot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42874"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T18:35:20Z",
"nvd_published_at": "2026-05-11T20:25:43Z",
"severity": "LOW"
},
"details": "### Impact\nThe `Response.set_cookie()` method does not sanitize its string arguments, and in particular will not detect the presence of the `\\r\\n` sequence in them. This can be a potential source of header injection attacks.\n\nFor a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe.\n\n### Patches\nUpgrade to version 2.6.1.\n\n### Workarounds\nDo not pass untrusted data to the `Response.set_cookie()` method.",
"id": "GHSA-7wc8-wvc4-m498",
"modified": "2026-05-13T14:18:28Z",
"published": "2026-05-05T18:35:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/miguelgrinberg/microdot/security/advisories/GHSA-7wc8-wvc4-m498"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42874"
},
{
"type": "WEB",
"url": "https://github.com/miguelgrinberg/microdot/commit/99b281b45faef8472410f2d56bfef496dfbd95d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/miguelgrinberg/microdot"
},
{
"type": "WEB",
"url": "https://github.com/miguelgrinberg/microdot/blob/main/CHANGES.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Microdot has HTTP response splitting in Response.set_cookie()"
}
GHSA-84J7-475P-HP8V
Vulnerability from github – Published: 2020-02-28 16:53 – Updated: 2023-05-16 16:16In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. CR, LF or/r, /n) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.
This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.12.3"
},
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 4.3.2"
},
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5247"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2020-02-28T16:50:49Z",
"nvd_published_at": "2020-02-28T17:15:00Z",
"severity": "MODERATE"
},
"details": "In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.\n\nWhile not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).\n\nThis is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.\n\nThis has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters. ",
"id": "GHSA-84j7-475p-hp8v",
"modified": "2023-05-16T16:16:12Z",
"published": "2020-02-28T16:53:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5247"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f"
},
{
"type": "PACKAGE",
"url": "https://github.com/puma/puma"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "HTTP Response Splitting in Puma"
}
GHSA-8G2F-8JP6-PR2W
Vulnerability from github – Published: 2024-07-25 21:31 – Updated: 2024-08-01 15:32A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header manipulation.
{
"affected": [],
"aliases": [
"CVE-2024-40324"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-25T20:15:05Z",
"severity": "CRITICAL"
},
"details": "A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header manipulation.",
"id": "GHSA-8g2f-8jp6-pr2w",
"modified": "2024-08-01T15:32:11Z",
"published": "2024-07-25T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40324"
},
{
"type": "WEB",
"url": "https://github.com/aleksey-vi/CVE-2024-40324"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8MJ6-8866-C4F4
Vulnerability from github – Published: 2022-05-17 01:16 – Updated: 2022-05-17 01:16HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.
{
"affected": [],
"aliases": [
"CVE-2015-1445"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-28T15:29:00Z",
"severity": "HIGH"
},
"details": "HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.",
"id": "GHSA-8mj6-8866-c4f4",
"modified": "2022-05-17T01:16:31Z",
"published": "2022-05-17T01:16:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1445"
},
{
"type": "WEB",
"url": "http://seclists.org/oss-sec/2015/q1/376"
},
{
"type": "WEB",
"url": "http://www.fli4l.de/fileadmin/fli4l/security/advisory-FFL-1113.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/02/01/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8MMG-J2HW-99H7
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 00:59An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.
{
"affected": [],
"aliases": [
"CVE-2018-18837"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-18T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Netdata 1.10.0. HTTP Header Injection exists via the api/v1/data filename parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.",
"id": "GHSA-8mmg-j2hw-99h7",
"modified": "2024-04-04T00:59:34Z",
"published": "2022-05-24T16:48:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18837"
},
{
"type": "WEB",
"url": "https://github.com/netdata/netdata/pull/4521"
},
{
"type": "WEB",
"url": "https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca"
},
{
"type": "WEB",
"url": "https://github.com/netdata/netdata/blob/798c141c49ee85bddc8f48f25d2cb593ec96da07/web/api/web_api_v1.c#L367-L370"
},
{
"type": "WEB",
"url": "https://www.red4sec.com/cve/netdata_header_injection.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8P3C-M625-WH83
Vulnerability from github – Published: 2022-05-14 03:58 – Updated: 2025-03-13 19:03CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.643"
},
{
"fixed": "1.650"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.642.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-0789"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T19:03:59Z",
"nvd_published_at": "2016-04-07T23:59:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
"id": "GHSA-8p3c-m625-wh83",
"modified": "2025-03-13T19:03:59Z",
"published": "2022-05-14T03:58:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0789"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/f5c51fbad2b62b81dc1e0402aeee058a4a478046"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:0711"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins has CRLF Injection Vulnerability in the CLI"
}
GHSA-8Q38-W56M-QQ2C
Vulnerability from github – Published: 2023-02-04 09:30 – Updated: 2023-02-14 21:26A vulnerability classified as critical has been found in OnShift TurboGears 1.0.11.10. This affects an unknown part of the file turbogears/controllers.py of the component HTTP Header Handler. The manipulation leads to http response splitting. It is possible to initiate the attack remotely. Upgrading to version 1.0.11.11 is able to address this issue. The name of the patch is f68bbaba47f4474e1da553aa51564a73e1d92a84. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220059.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "TurboGears"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.11.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-25101"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T21:26:39Z",
"nvd_published_at": "2023-02-04T08:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability classified as critical has been found in OnShift TurboGears 1.0.11.10. This affects an unknown part of the file turbogears/controllers.py of the component HTTP Header Handler. The manipulation leads to http response splitting. It is possible to initiate the attack remotely. Upgrading to version 1.0.11.11 is able to address this issue. The name of the patch is f68bbaba47f4474e1da553aa51564a73e1d92a84. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220059.",
"id": "GHSA-8q38-w56m-qq2c",
"modified": "2023-02-14T21:26:39Z",
"published": "2023-02-04T09:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25101"
},
{
"type": "WEB",
"url": "https://github.com/OnShift/turbogears/pull/18"
},
{
"type": "WEB",
"url": "https://github.com/OnShift/turbogears/commit/f68bbaba47f4474e1da553aa51564a73e1d92a84"
},
{
"type": "PACKAGE",
"url": "https://github.com/OnShift/turbogears"
},
{
"type": "WEB",
"url": "https://github.com/OnShift/turbogears/releases/tag/v1.0.11.11"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.220059"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.220059"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Header injection in TurboGears"
}
GHSA-8V6J-9RV8-9MRH
Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2024-04-04 05:48In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with the ‘rest’ SPL command that lets them potentially access other REST endpoints in the system arbitrarily.
{
"affected": [],
"aliases": [
"CVE-2023-32708"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-436"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T17:15:10Z",
"severity": "HIGH"
},
"details": "In Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform versions below 9.0.2303.100, a low-privileged user can trigger an HTTP response splitting vulnerability with the \u2018rest\u2019 SPL command that lets them potentially access other REST endpoints in the system arbitrarily.",
"id": "GHSA-8v6j-9rv8-9mrh",
"modified": "2024-04-04T05:48:02Z",
"published": "2023-07-06T21:15:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32708"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2023-0603"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/e615a0e1-a1b2-4196-9865-8aa646e1708c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8W92-PVRP-JCWV
Vulnerability from github – Published: 2025-02-11 12:30 – Updated: 2025-07-02 18:30In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.
{
"affected": [],
"aliases": [
"CVE-2025-0588"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T12:15:34Z",
"severity": "MODERATE"
},
"details": "In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.",
"id": "GHSA-8w92-pvrp-jcwv",
"modified": "2025-07-02T18:30:22Z",
"published": "2025-02-11T12:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0588"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/post/2024/sa2025-05"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/post/2025/sa2025-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Input Validation
Construct HTTP headers very carefully, avoiding the use of non-validated input data.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Strategy: Output Encoding
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-105: HTTP Request Splitting
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-34: HTTP Response Splitting
An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.
See CanPrecede relationships for possible consequences.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.