CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-2X39-J499-JV87
Vulnerability from github – Published: 2026-05-16 15:31 – Updated: 2026-05-19 15:31Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.
The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
{
"affected": [],
"aliases": [
"CVE-2026-46719"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-16T14:16:37Z",
"severity": "MODERATE"
},
"details": "Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.\n\nThe metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.",
"id": "GHSA-2x39-j499-jv87",
"modified": "2026-05-19T15:31:21Z",
"published": "2026-05-16T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46719"
},
{
"type": "WEB",
"url": "https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/16/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-32PC-XPHX-Q4F6
Vulnerability from github – Published: 2018-07-12 20:30 – Updated: 2024-09-20 21:11gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gunicorn"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "19.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000164"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:53:40Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in \"process_headers\" function in \"gunicorn/http/wsgi.py\" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.",
"id": "GHSA-32pc-xphx-q4f6",
"modified": "2024-09-20T21:11:57Z",
"published": "2018-07-12T20:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000164"
},
{
"type": "WEB",
"url": "https://github.com/benoitc/gunicorn/issues/1227"
},
{
"type": "WEB",
"url": "https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-32pc-xphx-q4f6"
},
{
"type": "PACKAGE",
"url": "https://github.com/benoitc/gunicorn"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/gunicorn/PYSEC-2018-55.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4022-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4186"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gunicorn contains Improper Neutralization of CRLF sequences in HTTP headers"
}
GHSA-35WP-MQ65-94RH
Vulnerability from github – Published: 2022-05-14 02:46 – Updated: 2022-05-14 02:46CRLF injection vulnerability in Infoblox Network Automation NetMRI before 7.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the contentType parameter in a login action to config/userAdmin/login.tdf.
{
"affected": [],
"aliases": [
"CVE-2016-6484"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-23T21:59:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in Infoblox Network Automation NetMRI before 7.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the contentType parameter in a login action to config/userAdmin/login.tdf.",
"id": "GHSA-35wp-mq65-94rh",
"modified": "2022-05-14T02:46:13Z",
"published": "2022-05-14T02:46:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6484"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/138615/Infoblox-7.0.1-CRLF-Injection-HTTP-Response-Splitting.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/539366/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92794"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036736"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-37FH-F35C-R73M
Vulnerability from github – Published: 2026-06-05 18:31 – Updated: 2026-06-08 21:31DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.
The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)
{
"affected": [],
"aliases": [
"CVE-2026-11362"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T16:16:41Z",
"severity": "CRITICAL"
},
"details": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.\n\nDataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.\n\nThe format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)",
"id": "GHSA-37fh-f35c-r73m",
"modified": "2026-06-08T21:31:49Z",
"published": "2026-06-05T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11362"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46741"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-39H2-3MQ3-959G
Vulnerability from github – Published: 2026-01-21 00:31 – Updated: 2026-03-03 15:31When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.
{
"affected": [],
"aliases": [
"CVE-2025-11468"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T22:15:50Z",
"severity": "MODERATE"
},
"details": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.",
"id": "GHSA-39h2-3mq3-959g",
"modified": "2026-03-03T15:31:35Z",
"published": "2026-01-21T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11468"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/143935"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/143936"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796"
},
{
"type": "WEB",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3CVR-822R-RQCC
Vulnerability from github – Published: 2022-07-21 20:30 – Updated: 2022-07-21 20:30Impact
It is possible to inject CRLF sequences into request headers in Undici.
const undici = require('undici')
const response = undici.request("http://127.0.0.1:1000", {
headers: {'a': "\r\nb"}
})
The same applies to path and method
Patches
Update to v5.8.0
Workarounds
Sanitize all HTTP headers from untrusted sources to eliminate \r\n.
References
https://hackerone.com/reports/409943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116
For more information
If you have any questions or comments about this advisory:
- Open an issue in undici repository
- To make a report, follow the SECURITY document
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31150"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-21T20:30:10Z",
"nvd_published_at": "2022-07-19T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIt is possible to inject CRLF sequences into request headers in Undici.\n\n```js\nconst undici = require(\u0027undici\u0027)\n\nconst response = undici.request(\"http://127.0.0.1:1000\", {\n headers: {\u0027a\u0027: \"\\r\\nb\"}\n})\n```\n\nThe same applies to `path` and `method`\n\n### Patches\n\nUpdate to v5.8.0\n\n### Workarounds\n\nSanitize all HTTP headers from untrusted sources to eliminate `\\r\\n`.\n\n### References\n\nhttps://hackerone.com/reports/409943\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\n",
"id": "GHSA-3cvr-822r-rqcc",
"modified": "2022-07-21T20:30:10Z",
"published": "2022-07-21T20:30:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31150"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/commit/a29a151d0140d095742d21a004023d024fe93259"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/409943"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220915-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "undici before v5.8.0 vulnerable to CRLF injection in request headers"
}
GHSA-3HXG-FXWM-8GF7
Vulnerability from github – Published: 2024-11-04 23:23 – Updated: 2024-11-08 15:19Summary
The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.
Details
The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method: https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328
This method does not check for CRLF characters in the header value.
This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.
PoC
The below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the "Authorization" header:
using Refit;
internal class Program
{
private static void Main(string[] args)
{
// Usage: dotnet run <bearer token>
string token = args[0];
var service = RestService.For<IStatusApi>("http://insert.some.site.here");
string response = service.GetStatus(token).Result;
Console.WriteLine($"Response: {response}");
}
public interface IStatusApi
{
[Get("/status")]
Task<string> GetStatus([Authorize("Bearer")] string token);
}
}
This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):
anonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\r\nUser-Agent: injected header!\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: insert.some.site.here'
Response: <html></html>
The application intends to send a single request of the form:
GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer <bearer token>
But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:
GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer test
User-Agent: injected header!
and
GET /smuggled HTTP/1.1
Host: insert.some.site.here
This can be confirmed by checking the access logs on the server where these commands were run (with insert.some.site.here pointing to localhost):
anonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /status HTTP/1.1" 200 240 "-" "injected header!"
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /smuggled HTTP/1.1" 404 436 "-" "-"
Impact
If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.
Strictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Refit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-51501"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-04T23:23:17Z",
"nvd_published_at": "2024-11-04T23:15:04Z",
"severity": "CRITICAL"
},
"details": "### Summary\nThe various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.\n\n### Details\nThe way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method: \u003chttps://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328\u003e\nThis method does not check for CRLF characters in the header value.\n\nThis means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.\n\n### PoC\nThe below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the \"Authorization\" header:\n\n```c#\nusing Refit;\n\ninternal class Program\n{\n private static void Main(string[] args)\n {\n // Usage: dotnet run \u003cbearer token\u003e \n string token = args[0];\n var service = RestService.For\u003cIStatusApi\u003e(\"http://insert.some.site.here\");\n string response = service.GetStatus(token).Result;\n Console.WriteLine($\"Response: {response}\");\n }\n\n public interface IStatusApi\n {\n [Get(\"/status\")]\n Task\u003cstring\u003e GetStatus([Authorize(\"Bearer\")] string token);\n }\n}\n```\n\nThis application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):\n\n```bash\nanonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $\u0027test\\r\\nUser-Agent: injected header!\\r\\n\\r\\nGET /smuggled HTTP/1.1\\r\\nHost: insert.some.site.here\u0027\nResponse: \u003chtml\u003e\u003c/html\u003e\n```\n\nThe application intends to send a single request of the form:\n```http\nGET /status HTTP/1.1\nHost: insert.some.site.here\nAuthorization: Bearer \u003cbearer token\u003e\n```\nBut as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:\n```http\nGET /status HTTP/1.1\nHost: insert.some.site.here\nAuthorization: Bearer test\nUser-Agent: injected header!\n```\nand\n```http\nGET /smuggled HTTP/1.1\nHost: insert.some.site.here\n```\n\nThis can be confirmed by checking the access logs on the server where these commands were run (with `insert.some.site.here` pointing to localhost):\n```bash\nanonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log\n127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] \"GET /status HTTP/1.1\" 200 240 \"-\" \"injected header!\"\n127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] \"GET /smuggled HTTP/1.1\" 404 436 \"-\" \"-\"\n```\n\n### Impact\nIf an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.\n\nStrictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.\n\n",
"id": "GHSA-3hxg-fxwm-8gf7",
"modified": "2024-11-08T15:19:17Z",
"published": "2024-11-04T23:23:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51501"
},
{
"type": "WEB",
"url": "https://github.com/reactiveui/refit/commit/483b1d8df18098f137ca0eca056b7e9ec19f70dd"
},
{
"type": "PACKAGE",
"url": "https://github.com/reactiveui/refit"
},
{
"type": "WEB",
"url": "https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "CRLF injection in Refit\u0027s [Header], [HeaderCollection] and [Authorize] attributes "
}
GHSA-3JVV-M32R-4HPF
Vulnerability from github – Published: 2023-07-06 06:30 – Updated: 2024-04-04 05:25All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.
{
"affected": [],
"aliases": [
"CVE-2023-26138"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T05:15:09Z",
"severity": "MODERATE"
},
"details": "All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \\r\\n (carriage return line feeds) characters and inject additional headers in the request sent.",
"id": "GHSA-3jvv-m32r-4hpf",
"modified": "2024-04-04T05:25:57Z",
"published": "2023-07-06T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26138"
},
{
"type": "WEB",
"url": "https://gist.github.com/dellalibera/d2abd809f32ec6c61be1f41d80edf61b"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665555"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3MJ9-VRRP-55V4
Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-18 21:31A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks.
{
"affected": [],
"aliases": [
"CVE-2022-50682"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-18T20:15:50Z",
"severity": "MODERATE"
},
"details": "A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks.",
"id": "GHSA-3mj9-vrrp-55v4",
"modified": "2025-12-18T21:31:43Z",
"published": "2025-12-18T21:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50682"
},
{
"type": "WEB",
"url": "https://devnet.kentico.com/download/hotfixes"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/kentico-xperience-routing-engine-crlf-injection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3WRH-PMFV-38F4
Vulnerability from github – Published: 2024-06-14 12:30 – Updated: 2024-07-03 18:45A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser.
{
"affected": [],
"aliases": [
"CVE-2024-36459"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-14T12:15:09Z",
"severity": "HIGH"
},
"details": "A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser.",
"id": "GHSA-3wrh-pmfv-38f4",
"modified": "2024-07-03T18:45:19Z",
"published": "2024-06-14T12:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36459"
},
{
"type": "WEB",
"url": "https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24537"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.