CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-4W8M-96V9-2C86
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2024-01-17 18:51CRLF injection vulnerability in calendar/set.php in the Calendar component in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors involving the url variable.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "2.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "2.1"
},
{
"fixed": "2.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-4203"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-17T18:51:01Z",
"nvd_published_at": "2011-12-22T15:29:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in calendar/set.php in the Calendar component in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x before 2.1.3, and 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors involving the url variable.",
"id": "GHSA-4w8m-96v9-2c86",
"modified": "2024-01-17T18:51:01Z",
"published": "2022-05-13T01:13:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4203"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/581e8dba387f090d89382115fd850d8b44351526"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/ae7cc577b7115a7ad7a68dc4986aca9e2bda2cf5"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/bc577df6a974606fcb0882b090b00ea5a4e10cf6"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/e311b14364719b0f7851149ee51c1a4ec732635e"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=191754"
},
{
"type": "WEB",
"url": "http://penturalabs.wordpress.com/2011/12/13/advisory-crlf-injection-vulnerability-in-moodle"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Moodle CRLF Injection Vulnerability in Calendar Component"
}
GHSA-528X-45H9-F5PQ
Vulnerability from github – Published: 2022-05-17 01:22 – Updated: 2022-05-17 01:22CRLF injection vulnerability in IBM Flex System EN6131 40Gb Ethernet and IB6131 40Gb Infiniband Switch firmware before 3.4.1110 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks and resulting web cache poisoning or cross-site scripting (XSS) attacks, or obtain sensitive information via multiple unspecified parameters.
{
"affected": [],
"aliases": [
"CVE-2014-9564"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-25T18:29:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in IBM Flex System EN6131 40Gb Ethernet and IB6131 40Gb Infiniband Switch firmware before 3.4.1110 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks and resulting web cache poisoning or cross-site scripting (XSS) attacks, or obtain sensitive information via multiple unspecified parameters.",
"id": "GHSA-528x-45h9-f5pq",
"modified": "2022-05-17T01:22:31Z",
"published": "2022-05-17T01:22:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9564"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5098173"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/74931"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-52RH-5RPJ-C3W6
Vulnerability from github – Published: 2022-05-05 16:00 – Updated: 2026-02-11 21:54node-irc is a socket wrapper for the IRC protocol that extends Node.js' EventEmitter. The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim rather than as a message to the channel. The vulnerability has been patched in node-irc version 1.2.1.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.2.0"
},
"package": {
"ecosystem": "npm",
"name": "matrix-org-irc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-05T16:00:50Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "node-irc is a socket wrapper for the IRC protocol that extends Node.js\u0027 EventEmitter. The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim rather than as a message to the channel.\nThe vulnerability has been patched in node-irc version 1.2.1.",
"id": "GHSA-52rh-5rpj-c3w6",
"modified": "2026-02-11T21:54:44Z",
"published": "2022-05-05T16:00:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/matrix-org/node-irc/security/advisories/GHSA-52rh-5rpj-c3w6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29166"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/node-irc/commit/2976c856df37660a9d664e94c857c796de2e34f7"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/node-irc/commit/e3eb9c15f8240e9c92365f5ffc3944469229771b"
},
{
"type": "PACKAGE",
"url": "https://github.com/matrix-org/node-irc"
},
{
"type": "WEB",
"url": "https://matrix.org/blog/2022/05/04/0-34-0-security-release-for-matrix-appservice-irc-high-severity"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper handling of multiline messages in node-irc"
}
GHSA-54WQ-72MP-CQ7C
Vulnerability from github – Published: 2026-01-20 17:54 – Updated: 2026-02-02 14:50Vulnerability Report: SMTP Header Injection via Regex Bypass
Vulnerable Code: mailpit/internal/smtpd/smtpd.go
Executive Summary
Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate RCPT TO and MAIL FROM addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (\r) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude \r and \n when used inside a character class.
RFC Compliance & Design Analysis
"Is this behavior intentional for a testing tool?" No. While testing tools are often permissive, this specific behavior violates the core SMTP protocol and fails the developer's own intent.
- RFC 5321 Violation: The SMTP protocol strictly forbids Control Characters (CR, LF, Null) in the envelope address (
Mailbox).- RFC 5321 Section 4.1.2: A
Mailboxconsists of anAtomorQuoted-string. AnAtomexplicitly excludes "specials, SPACE and CTLs" (Control Characters).
- RFC 5321 Section 4.1.2: A
- Failed Intent: The existence of
\vin the regex[^<>\v]proves the developer intended to block vertical whitespace. The vulnerability is that\vin Go regex (re2) inside brackets[]matches only Vertical Tab, not CR/LF. If the design were to allow everything, the\vexclusion wouldn't exist. - Data Corruption: Allowing
\rresults in the generation of malformed.emlfiles where theReceivedheader is broken. This is not a feature; it's a bug that creates invalid email files. - RFC 5321 also enforces address lengths which are not applied in Mailpit.
Technical Analysis
The Flaw
The vulnerability exists in the regex definitions used to parse SMTP commands:
// internal/smtpd/smtpd.go:32-33
rcptToRE = regexp.MustCompile(`(?i)TO: ?<([^<>\v]+)>( |$)(.*)?`)
mailFromRE = regexp.MustCompile(`(?i)FROM: ?<(|[^<>\v]+)>( |$)(.*)?`)
The developer likely intended [^<>\v] to mean "Match anything that is NOT a < OR > OR Vertical Whitespace".
However, in Go's regexp (RE2) syntax, the behavior of \v changes depending on context:
- Outside brackets: \v matches all vertical whitespace: [\n\v\f\r\x85\u2028\u2029].
- Inside brackets ([...]): \v matches only the Vertical Tab character (\x0B).
Result: The regex [^<>\v] allows Carriage Return (\r) and Line Feed (\n) characters to pass through, as they are not < or > or \x0B.
Exploit Scenario
Exploit Scenario
When Mailpit constructs the Received header, it uses the validated recipient address directly:
// internal/smtpd/smtpd.go:865
buffer.WriteString(fmt.Sprintf(" for <%s>; %s\r\n", to[0], now))
If to[0] contains victim\rINJECTED-HEADER: YES, the resulting string in memory becomes:
for <victim\rINJECTED-HEADER: YES>; ...
While bufio.ReadString prevents injecting immediate \n (newlines), \r (Carriage Return) bypasses this check.
The Result: The stored EML file contains a "Bare CR".
- RFC Violation: RFC 5321 strictly forbids Bare CR. Lines must end in CRLF.
- UI Behavior: Browsers typically render Bare CR as a space, so it may look like victim INJECTED in the Mailpit UI.
- Real Impact: The raw email is corrupted. If this email is exported or relayed, downstream systems (Outlook, older MTAs) may interpret the Bare CR as a line break, triggering a full Header Injection. Furthermore, Mailpit failing to reject this gives developers a false sense of security, as their code might be generating malformed emails that work in Mailpit but fail in production (e.g., with Gmail or Exchange).
Raw EML Verification
The following screenshot of the raw .eml file confirms that the \r character successfully broke the Received header structure in the stored file, effectively creating a new line for the injected content.
As seen in lines of the screenshot:
for <victim
INJECTED_VIA_CR:YES>; Tue, 13 Jan ...
The INJECTED_VIA_CR:YES payload is treated as a start of a new line by the text editor (VS Code), which honors \r as a line break. This proves the injection matches the "Bare CR" attack vector.
Additional Proof of Concepts
1. Null Byte Injection (\x00)
The regex [^<>\v]+ also allows the Null Byte (\x00).
Test: test_null_byte.py sent RCPT TO:<victim\x00-NULL-BYTE-HERE>.
Result: Server accepted the message (250 OK).
Impact: The API returns an empty [] for the To field in the message summary, indicating the parser failure in the UI/API layer. The raw message content confirms the Null Byte is stored in the database.
3. Detailed Character Compatibility
Tests (0-127 ASCII) confirm that the regex [^<>\v] blocks only the following:
- < (Less Than)
- > (Greater Than)
- \x0B (Vertical Tab)
Crucially, it ALLOWS:
| Character | Hex | Regex Status | Network Status | Impact |
| :--- | :--- | :--- | :--- | :--- |
| Carriage Return | \r (0x0D) | ALLOWED | Passed | Header Injection |
| Line Feed | \n (0x0A) | ALLOWED | Blocked | Blocked by bufio.ReadString, not regex. |
| Null Byte | \x00 (0x00) | ALLOWED | Passed | API DoS / Corrupt Data |
| Tab | \t (0x09) | ALLOWED | Passed | Formatting issues |
| Delete | \x7F (0x7F) | ALLOWED | Passed | Potential obfuscation |
| Controls | 0x01-0x1F | ALLOWED | Passed | (Except 0x0A, 0x0B, 0x0D) |
This confirms that the regex fails to implement a proper "Safe Text" allowlist, defaulting instead to a flawed denylist.
Proof of Concept
The following Python script demonstrates the injection of a "bare CR" into the headers, which is successfully accepted by the server.
import socket
def exploit():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 1025))
s.recv(1024)
s.send(b"EHLO test.com\r\n")
s.recv(1024)
s.send(b"MAIL FROM:<attacker@evil.com>\r\n")
s.recv(1024)
# Injecting \r
payload = b"RCPT TO:<victim\rX-Injected: Yes>\r\n"
s.send(payload)
resp = s.recv(1024)
print(f"Server Response: {resp.decode()}") # Expect 250 OK
s.send(b"DATA\r\n")
s.recv(1024)
s.send(b"Subject: Test\r\n\r\nBody\r\n.\r\n")
s.recv(1024)
s.close()
exploit()
Remediation
Update the regex to explicitly exclude \r and \n, or use the correct character class escape for control characters.
Recommended Fix:
Use \x00-\x1F to exclude all ASCII control characters.
// Fix: Exclude all control characters explicitly
rcptToRE = regexp.MustCompile(`(?i)TO: ?<([^<>\x00-\x1f]+)>( |$)(.*)?`)
mailFromRE = regexp.MustCompile(`(?i)FROM: ?<(|[^<>\x00-\x1f]+)>( |$)(.*)?`)
Alternatively, strictly exclude CR and LF:
rcptToRE = regexp.MustCompile(`(?i)TO: ?<([^<>\r\n]+)>( |$)(.*)?`)
Classification & References
- CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
- CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
- OWASP: Injection Flaws
- CAPEC-106: Command Injection (Related usage pattern)
- [RFC 5321 Section 4.5.3.1 - Size Limits](https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.28.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/axllent/mailpit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.28.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23829"
],
"database_specific": {
"cwe_ids": [
"CWE-150",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-20T17:54:55Z",
"nvd_published_at": "2026-01-19T00:15:48Z",
"severity": "MODERATE"
},
"details": "# Vulnerability Report: SMTP Header Injection via Regex Bypass\n\n**Vulnerable Code:** `mailpit/internal/smtpd/smtpd.go`\n\n## Executive Summary\nMailpit\u0027s SMTP server is vulnerable to **Header Injection** due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\\r` and `\\n` when used inside a character class.\n\n## RFC Compliance \u0026 Design Analysis\n**\"Is this behavior intentional for a testing tool?\"**\nNo. While testing tools are often permissive, this specific behavior violates the core SMTP protocol and fails the developer\u0027s own intent.\n\n1. **RFC 5321 Violation:** The SMTP protocol strictly forbids Control Characters (CR, LF, Null) in the envelope address (`Mailbox`).\n * *RFC 5321 Section 4.1.2:* A `Mailbox` consists of an `Atom` or `Quoted-string`. An `Atom` explicitly excludes \"specials, SPACE and CTLs\" (Control Characters).\n2. **Failed Intent:** The existence of `\\v` in the regex `[^\u003c\u003e\\v]` proves the developer **intended** to block vertical whitespace. The vulnerability is that `\\v` in Go regex (`re2`) inside brackets `[]` matches *only* Vertical Tab, not CR/LF. If the design were to allow everything, the `\\v` exclusion wouldn\u0027t exist.\n3. **Data Corruption:** Allowing `\\r` results in the generation of malformed `.eml` files where the `Received` header is broken. This is not a feature; it\u0027s a bug that creates invalid email files.\n4. RFC 5321 also enforces address lengths which are not applied in Mailpit.\n\n## Technical Analysis\n\n### The Flaw\nThe vulnerability exists in the regex definitions used to parse SMTP commands:\n\n```go\n// internal/smtpd/smtpd.go:32-33\nrcptToRE = regexp.MustCompile(`(?i)TO: ?\u003c([^\u003c\u003e\\v]+)\u003e( |$)(.*)?`)\nmailFromRE = regexp.MustCompile(`(?i)FROM: ?\u003c(|[^\u003c\u003e\\v]+)\u003e( |$)(.*)?`)\n```\n\nThe developer likely intended `[^\u003c\u003e\\v]` to mean \"Match anything that is NOT a `\u003c` OR `\u003e` OR `Vertical Whitespace`\".\n\nHowever, in Go\u0027s `regexp` (RE2) syntax, the behavior of `\\v` changes depending on context:\n- **Outside** brackets: `\\v` matches all vertical whitespace: `[\\n\\v\\f\\r\\x85\\u2028\\u2029]`.\n- **Inside** brackets (`[...]`): `\\v` matches **only** the Vertical Tab character (`\\x0B`).\n\n**Result:** The regex `[^\u003c\u003e\\v]` **allows** Carriage Return (`\\r`) and Line Feed (`\\n`) characters to pass through, as they are not `\u003c` or `\u003e` or `\\x0B`.\n\n### Exploit Scenario\n### Exploit Scenario\nWhen Mailpit constructs the `Received` header, it uses the validated recipient address directly:\n\n```go\n// internal/smtpd/smtpd.go:865\nbuffer.WriteString(fmt.Sprintf(\" for \u003c%s\u003e; %s\\r\\n\", to[0], now))\n```\n\nIf `to[0]` contains `victim\\rINJECTED-HEADER: YES`, the resulting string in memory becomes:\n\n```text\n for \u003cvictim\\rINJECTED-HEADER: YES\u003e; ...\n```\n\nWhile `bufio.ReadString` prevents injecting immediate `\\n` (newlines), `\\r` (Carriage Return) bypasses this check. \n\n**The Result:** The stored EML file contains a \"Bare CR\".\n- **RFC Violation:** RFC 5321 strictly forbids Bare CR. Lines must end in CRLF.\n- **UI Behavior:** Browsers typically render Bare CR as a space, so it may look like `victim INJECTED` in the Mailpit UI.\n- **Real Impact:** The raw email is corrupted. If this email is exported or relayed, downstream systems (Outlook, older MTAs) may interpret the Bare CR as a line break, triggering a full **Header Injection**. Furthermore, Mailpit failing to reject this gives developers a **false sense of security**, as their code might be generating malformed emails that work in Mailpit but fail in production (e.g., with Gmail or Exchange).\n\n### Raw EML Verification\nThe following screenshot of the raw `.eml` file confirms that the `\\r` character successfully broke the `Received` header structure in the stored file, effectively creating a new line for the injected content.\n\n\u003cimg width=\"621\" height=\"230\" alt=\"image\" src=\"https://github.com/user-attachments/assets/1611f07e-316d-436a-95d6-9b14c9a8ecc6\" /\u003e\n\n\u003cimg width=\"1058\" height=\"441\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9543d904-6e0a-4c8b-b283-abbe05b752d0\" /\u003e\n\n\u003cimg width=\"668\" height=\"196\" alt=\"image\" src=\"https://github.com/user-attachments/assets/907e4467-aab6-4bb4-83ce-743af4f6ba8d\" /\u003e\n\n\n\nAs seen in lines of the screenshot:\n```text\n for \u003cvictim\nINJECTED_VIA_CR:YES\u003e; Tue, 13 Jan ...\n```\nThe `INJECTED_VIA_CR:YES` payload is treated as a start of a new line by the text editor (VS Code), which honors `\\r` as a line break. This proves the injection matches the \"Bare CR\" attack vector.\n\n## Additional Proof of Concepts\n\n### 1. Null Byte Injection (`\\x00`)\nThe regex `[^\u003c\u003e\\v]+` also allows the Null Byte (`\\x00`).\n**Test:** `test_null_byte.py` sent `RCPT TO:\u003cvictim\\x00-NULL-BYTE-HERE\u003e`.\n**Result:** Server accepted the message (`250 OK`).\n**Impact:** The API returns an empty `[]` for the To field in the message summary, indicating the parser failure in the UI/API layer. The raw message content confirms the Null Byte is stored in the database.\n\n### 3. Detailed Character Compatibility\nTests (0-127 ASCII) confirm that the regex `[^\u003c\u003e\\v]` blocks **only** the following:\n- `\u003c` (Less Than)\n- `\u003e` (Greater Than)\n- `\\x0B` (Vertical Tab)\n\n**Crucially, it ALLOWS:**\n| Character | Hex | Regex Status | Network Status | Impact |\n| :--- | :--- | :--- | :--- | :--- |\n| **Carriage Return** | `\\r` (`0x0D`) | **ALLOWED** | **Passed** | **Header Injection** |\n| **Line Feed** | `\\n` (`0x0A`) | **ALLOWED** | Blocked* | *Blocked by `bufio.ReadString`, not regex. |\n| **Null Byte** | `\\x00` (`0x00`) | **ALLOWED** | **Passed** | API DoS / Corrupt Data |\n| **Tab** | `\\t` (`0x09`) | **ALLOWED** | **Passed** | Formatting issues |\n| **Delete** | `\\x7F` (`0x7F`) | **ALLOWED** | **Passed** | Potential obfuscation |\n| **Controls** | `0x01`-`0x1F` | **ALLOWED** | **Passed** | (Except `0x0A`, `0x0B`, `0x0D`) |\n\n*This confirms that the regex fails to implement a proper \"Safe Text\" allowlist, defaulting instead to a flawed denylist.*\n\n## Proof of Concept\nThe following Python script demonstrates the injection of a \"bare CR\" into the headers, which is successfully accepted by the server.\n\n```python\nimport socket\n\ndef exploit():\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((\"127.0.0.1\", 1025))\n s.recv(1024)\n s.send(b\"EHLO test.com\\r\\n\")\n s.recv(1024)\n s.send(b\"MAIL FROM:\u003cattacker@evil.com\u003e\\r\\n\")\n s.recv(1024)\n \n # Injecting \\r \n payload = b\"RCPT TO:\u003cvictim\\rX-Injected: Yes\u003e\\r\\n\"\n s.send(payload)\n resp = s.recv(1024)\n print(f\"Server Response: {resp.decode()}\") # Expect 250 OK\n \n s.send(b\"DATA\\r\\n\")\n s.recv(1024)\n s.send(b\"Subject: Test\\r\\n\\r\\nBody\\r\\n.\\r\\n\")\n s.recv(1024)\n s.close()\n \nexploit()\n```\n\n## Remediation\nUpdate the regex to explicitly exclude `\\r` and `\\n`, or use the correct character class escape for control characters.\n\n**Recommended Fix:**\nUse `\\x00-\\x1F` to exclude all ASCII control characters.\n\n```go\n// Fix: Exclude all control characters explicitly\nrcptToRE = regexp.MustCompile(`(?i)TO: ?\u003c([^\u003c\u003e\\x00-\\x1f]+)\u003e( |$)(.*)?`)\nmailFromRE = regexp.MustCompile(`(?i)FROM: ?\u003c(|[^\u003c\u003e\\x00-\\x1f]+)\u003e( |$)(.*)?`)\n```\n\nAlternatively, strictly exclude CR and LF:\n```go\nrcptToRE = regexp.MustCompile(`(?i)TO: ?\u003c([^\u003c\u003e\\r\\n]+)\u003e( |$)(.*)?`)\n```\n## Classification \u0026 References\n- **CWE-93:** [Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)](https://cwe.mitre.org/data/definitions/93.html)\n- **CWE-150:** [Improper Neutralization of Escape, Meta, or Control Sequences](https://cwe.mitre.org/data/definitions/150.html)\n- **OWASP:** [Injection Flaws](https://owasp.org/www-community/attacks/Injection_Flaws)\n- **CAPEC-106:** [Command Injection](https://capec.mitre.org/data/definitions/106.html) (Related usage pattern)\n- [[RFC 5321 Section 4.5.3.1 - Size Limits](https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1)](https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1)",
"id": "GHSA-54wq-72mp-cq7c",
"modified": "2026-02-02T14:50:34Z",
"published": "2026-01-20T17:54:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-54wq-72mp-cq7c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23829"
},
{
"type": "WEB",
"url": "https://github.com/axllent/mailpit/commit/36cc06c125954dec6673219dafa084e13cc14534"
},
{
"type": "PACKAGE",
"url": "https://github.com/axllent/mailpit"
},
{
"type": "WEB",
"url": "https://github.com/axllent/mailpit/releases/tag/v1.28.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mailpit has an SMTP Header Injection via Regex Bypass"
}
GHSA-562R-8445-54R2
Vulnerability from github – Published: 2026-01-13 19:02 – Updated: 2026-06-10 18:06Impact
Vulnerability Type: CRLF Injection via ConfigParser
An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior.
Affected Users: Users running ComfyUI-Manager in environments where ComfyUI is configured with the --listen option to allow remote access.
CVSS Score: 7.5 (High)
Patches
Fixed in the following versions: - 3.39.2 (v3.x branch) - 4.0.5 (v4.x branch)
Sanitization logic was added to the write_config() function to remove CRLF and NULL characters from all string values.
Workarounds
If upgrading is not possible:
- Run ComfyUI-Manager only on trusted networks
- Block external access via firewall
- Run on localhost only without the --listen option
References
Credit
This vulnerability was reported by: - 李存义 xiaoheihei1107@gmail.com - D0n9 Li wyd0n9@gmail.com - Swings swing@mail.exp.sh - Osword from SGLAB of Legendsec at Qi'anxin Group zhzhdoai@gmail.com
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.0.4"
},
"package": {
"ecosystem": "PyPI",
"name": "comfy-cli"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "comfy-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.39.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22777"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T19:02:52Z",
"nvd_published_at": "2026-01-10T07:16:03Z",
"severity": "HIGH"
},
"details": "## Impact\n\n**Vulnerability Type**: CRLF Injection via ConfigParser\n\nAn attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the `config.ini` file. This can lead to security setting tampering or modification of application behavior.\n\n**Affected Users**: Users running ComfyUI-Manager in environments where ComfyUI is configured with the `--listen` option to allow remote access.\n\n**CVSS Score**: 7.5 (High)\n\n## Patches\n\nFixed in the following versions:\n- **3.39.2** (v3.x branch)\n- **4.0.5** (v4.x branch)\n\nSanitization logic was added to the `write_config()` function to remove CRLF and NULL characters from all string values.\n\n## Workarounds\n\nIf upgrading is not possible:\n- Run ComfyUI-Manager only on trusted networks\n- Block external access via firewall\n- Run on localhost only without the `--listen` option\n\n## References\n\n- [CWE-93: Improper Neutralization of CRLF Sequences](https://cwe.mitre.org/data/definitions/93.html)\n- [OWASP CRLF Injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection)\n\n## Credit\n\nThis vulnerability was reported by:\n- \u674e\u5b58\u4e49 \u003cxiaoheihei1107@gmail.com\u003e\n- D0n9 Li \u003cwyd0n9@gmail.com\u003e\n- Swings \u003cswing@mail.exp.sh\u003e\n- Osword from SGLAB of Legendsec at Qi\u0027anxin Group \u003czhzhdoai@gmail.com\u003e",
"id": "GHSA-562r-8445-54r2",
"modified": "2026-06-10T18:06:48Z",
"published": "2026-01-13T19:02:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22777"
},
{
"type": "WEB",
"url": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/ef8703a3d7ab4e6ecda8f96e0c5816c23d1cb262"
},
{
"type": "WEB",
"url": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410"
},
{
"type": "PACKAGE",
"url": "https://github.com/Comfy-Org/ComfyUI-Manager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler"
}
GHSA-57H4-P8XG-X38X
Vulnerability from github – Published: 2026-05-18 09:31 – Updated: 2026-05-19 15:31Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.
The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.
{
"affected": [],
"aliases": [
"CVE-2026-8788"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-18T08:16:15Z",
"severity": "HIGH"
},
"details": "Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections.\n\nThe values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nNote that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names.",
"id": "GHSA-57h4-p8xg-x38x",
"modified": "2026-05-19T15:31:22Z",
"published": "2026-05-18T09:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8788"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-599G-P68Q-2RXV
Vulnerability from github – Published: 2023-05-30 06:30 – Updated: 2024-05-02 03:30Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.
Note: This issue is present due to an incomplete fix for CVE-2020-11709.
{
"affected": [],
"aliases": [
"CVE-2023-26130"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-77",
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-30T05:15:10Z",
"severity": "HIGH"
},
"details": "Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.\n\n**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).",
"id": "GHSA-599g-p68q-2rxv",
"modified": "2024-05-02T03:30:32Z",
"published": "2023-05-30T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26130"
},
{
"type": "WEB",
"url": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
},
{
"type": "WEB",
"url": "https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280"
},
{
"type": "WEB",
"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-59GX-X7R4-97Q5
Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05Domoticz before 4.10579 neglects to categorize \n and \r as insecure argument options.
{
"affected": [],
"aliases": [
"CVE-2019-10678"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-31T21:29:00Z",
"severity": "HIGH"
},
"details": "Domoticz before 4.10579 neglects to categorize \\n and \\r as insecure argument options.",
"id": "GHSA-59gx-x7r4-97q5",
"modified": "2022-05-14T01:05:53Z",
"published": "2022-05-14T01:05:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10678"
},
{
"type": "WEB",
"url": "https://github.com/domoticz/domoticz/commit/2119afbe74ee0c914c1d5c4c859c594c08b0ad42"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46773"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152678/Domoticz-4.10577-Unauthenticated-Remote-Command-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5F3W-CMWX-C9M9
Vulnerability from github – Published: 2026-04-20 06:31 – Updated: 2026-04-20 06:31SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper neutralization of CRLF sequences ('CRLF Injection') vulnerability. Processing some crafted configuration data may lead to arbitrary entries injected to the system configuration.
{
"affected": [],
"aliases": [
"CVE-2026-32964"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T04:16:45Z",
"severity": "MODERATE"
},
"details": "SD-330AC and AMC Manager provided by silex technology, Inc. contain an improper neutralization of CRLF sequences (\u0027CRLF Injection\u0027) vulnerability. Processing some crafted configuration data may lead to arbitrary entries injected to the system configuration.",
"id": "GHSA-5f3w-cmwx-c9m9",
"modified": "2026-04-20T06:31:27Z",
"published": "2026-04-20T06:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32964"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU94271449"
},
{
"type": "WEB",
"url": "https://www.silex.jp/support/security-advisories/2026-001"
},
{
"type": "WEB",
"url": "https://www.silex.jp/support/security-advisories/en/2026-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5GGV-4372-HVMC
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:34cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923).
{
"affected": [],
"aliases": [
"CVE-2016-10803"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-07T13:15:00Z",
"severity": "HIGH"
},
"details": "cPanel before 57.9999.105 allows newline injection via LOC records (CPANEL-6923).",
"id": "GHSA-5ggv-4372-hvmc",
"modified": "2024-04-04T01:34:22Z",
"published": "2022-05-24T16:52:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10803"
},
{
"type": "WEB",
"url": "https://documentation.cpanel.net/display/CL/58+Change+Log"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.