Common Weakness Enumeration

CWE-93

Allowed

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Abstraction: Base · Status: Draft

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

323 vulnerabilities reference this CWE, most recent first.

GHSA-89FF-5R66-WR8J

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11
VLAI
Details

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-23T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
  "id": "GHSA-89ff-5r66-wr8j",
  "modified": "2022-05-13T01:11:47Z",
  "published": "2022-05-13T01:11:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9947"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4127-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4127-1"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190404-0004"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-26"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://bugs.python.org/issue35906"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3725"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3520"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:3335"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2030"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1260"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00062.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00063.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CGQ-6MH2-7J6V

Vulnerability from github – Published: 2025-03-04 15:27 – Updated: 2025-11-04 16:55
VLAI
Summary
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
Details

Summary

Rack::Sendfile can be exploited by crafting input that includes newline characters to manipulate log entries.

Details

The Rack::Sendfile middleware logs unsanitized header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.

Impact

This vulnerability can distort log files, obscure attack traces, and complicate security auditing.

Mitigation

  • Update to the latest version of Rack, or
  • Remove usage of Rack::Sendfile.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0"
            },
            {
              "fixed": "3.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1"
            },
            {
              "fixed": "3.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-04T15:27:06Z",
    "nvd_published_at": "2025-03-04T16:15:40Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.\n\n## Details\n\nThe `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.\n\n## Impact\n\nThis vulnerability can distort log files, obscure attack traces, and complicate security auditing.\n\n## Mitigation\n\n- Update to the latest version of Rack, or\n- Remove usage of `Rack::Sendfile`.",
  "id": "GHSA-8cgq-6mh2-7j6v",
  "modified": "2025-11-04T16:55:18Z",
  "published": "2025-03-04T15:27:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27111"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection"
}

GHSA-8P34-64R3-MWG8

Vulnerability from github – Published: 2026-06-09 18:36 – Updated: 2026-07-06 22:53
VLAI
Summary
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Details

Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals.

Details

Raw data arguments support embedded literal values, both synchronizing and non-synchronizing. Non-synchronizing literals can only be safely sent when the server advertises any of the LITERAL+, LITERAL-, or IMAP4rev2 capabilities. But raw data arguments do not verify server support for non-synchronizing literals prior to sending.

Servers without support for non-synchronizing literals could handle them in several different ways: If a server sees a "}\r\n" byte sequence but can't parse the literal bytesize, it may cautiously decide to close the connection, blocking any command injection attacks. However, a server without support for non-synchronizing literals may instead interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed.

This affects the following commands' string arguments: * criteria for #search and #uid_search * search_keys for #sort, #thread, #uid_sort, and #uid_thread * attr for #fetch and #uid_fetch

Prior to net-imap v0.6.4, v0.5.14, and v0.4.24, raw data arguments were not validated in any way, so they were also vulnerable to this attack. See CVE-2026-42257 (GHSA-hm49-wcqc-g2xg).

Impact

Fortunately, LITERAL- is supported by most modern IMAP servers. Even without support for non-synchronizing literals, cautious servers may handle invalid literal bytesize by closing the connection . However, servers which handle a non-synchronizing literal just like any other malformed command will enable this vulnerability.

If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.

Mitigation

Update to a version of net-imap which validates server support for non-synchronizing literals before sending them.

If upgrading net-imap is not possible: * Explicitly validate user-controlled inputs to prevent embedded non-synchronizing literals unless the server supports them. * For a simpler, more cautious approach: all embedded literals can be unconditionally prohibited, by checking that string inputs do not contain any CR or LF bytes. * Verify that the server advertises any of the LITERAL+, LITERAL-, or IMAP4rev2 capabilities before using untrusted string inputs for the affected "raw data" arguments.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.4"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "net-imap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0"
            },
            {
              "fixed": "0.6.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.14"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "net-imap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-09T18:36:04Z",
    "nvd_published_at": "2026-06-22T21:16:24Z",
    "severity": "MODERATE"
  },
  "details": "Several Net::IMAP commands accept a \"raw data\" argument that is sent verbatim after validation to prevent command injection.  However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals.\n\n### Details\n\nRaw data arguments support embedded literal values, both synchronizing and non-synchronizing.  Non-synchronizing literals can only be safely sent when the server advertises any of the `LITERAL+`, `LITERAL-`, or `IMAP4rev2` capabilities.  But raw data arguments do not verify server support for non-synchronizing literals prior to sending.\n\nServers without support for non-synchronizing literals could handle them in several different ways:  If a server sees a `\"}\\r\\n\"` byte sequence but can\u0027t parse the literal bytesize, it _may_ cautiously decide to close the connection, blocking any command injection attacks.  However, a server without support for non-synchronizing literals may instead interpret the `\"+}\\r\\n\"` as the end of a malformed command line and respond with a tagged `BAD`.  In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed.\n\nThis affects the following commands\u0027 string arguments:\n* `criteria` for `#search` and `#uid_search`\n* `search_keys` for `#sort`, `#thread`, `#uid_sort`, and `#uid_thread`\n* `attr` for `#fetch` and `#uid_fetch`\n\nPrior to `net-imap` v0.6.4, v0.5.14, and v0.4.24, raw data arguments were not validated in _any_ way, so they were also vulnerable to this attack.  See CVE-2026-42257 (GHSA-hm49-wcqc-g2xg).\n\n### Impact\n\nFortunately, `LITERAL-` is supported by most modern IMAP servers.  Even without support for non-synchronizing literals, cautious servers may handle invalid literal bytesize by closing the connection .  However, servers which handle a non-synchronizing literal just like any other malformed command will enable this vulnerability.\n\nIf a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system\u0027s attributes, e.g.: shared mail folders or the application\u0027s installed response handlers.\n\n### Mitigation\n\nUpdate to a version of `net-imap` which validates server support for non-synchronizing literals before sending them.\n\nIf upgrading `net-imap` is not possible:\n* Explicitly validate user-controlled inputs to prevent embedded non-synchronizing literals unless the server supports them.\n* For a simpler, more cautious approach: all embedded literals can be unconditionally prohibited, by checking that string inputs do not contain any CR or LF bytes.\n* Verify that the server advertises any of the `LITERAL+`, `LITERAL-`, or `IMAP4rev2` capabilities before using untrusted string inputs for the affected \"raw data\" arguments.",
  "id": "GHSA-8p34-64r3-mwg8",
  "modified": "2026-07-06T22:53:42Z",
  "published": "2026-06-09T18:36:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-8p34-64r3-mwg8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47240"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/net-imap"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-47240.yml"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-47240"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Net::IMAP: Command Injection via non-synchronizing literal in \"raw\" argument"
}

GHSA-8PM5-XR39-VFV3

Vulnerability from github – Published: 2026-01-27 12:31 – Updated: 2026-03-19 15:31
VLAI
Details

A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T10:15:48Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.",
  "id": "GHSA-8pm5-xr39-vfv3",
  "modified": "2026-03-19T15:31:09Z",
  "published": "2026-01-27T12:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1467"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-1467"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433174"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8QV8-FQ5W-P966

Vulnerability from github – Published: 2021-12-16 14:26 – Updated: 2021-12-16 14:09
VLAI
Summary
phpservermon is vulnerable to CRLF Injection
Details

phpservermon is vulnerable to Improper Neutralization of CRLF Sequences.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpservermon/phpservermon"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-14T15:10:46Z",
    "nvd_published_at": "2021-12-12T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "phpservermon is vulnerable to Improper Neutralization of CRLF Sequences.",
  "id": "GHSA-8qv8-fq5w-p966",
  "modified": "2021-12-16T14:09:58Z",
  "published": "2021-12-16T14:26:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4097"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phpservermon/phpservermon/commit/162bba0046fcda1580f4fbc7b9ababe3c7c13ce4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phpservermon/phpservermon"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/d617ced7-be06-4e34-9db0-63d45c003a43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpservermon is vulnerable to CRLF Injection"
}

GHSA-9324-JV53-9CC8

Vulnerability from github – Published: 2023-03-21 22:41 – Updated: 2023-03-21 22:41
VLAI
Summary
dio vulnerable to CRLF injection with HTTP method string
Details

Impact

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

Patches

The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0.

Workarounds

Cherry-pick the commit to your own fork can resolves the vulberability too.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2021-31402
  • https://osv.dev/GHSA-jwpw-q68h-r678
  • https://github.com/cfug/dio/issues/1130
  • https://github.com/cfug/dio/issues/1752
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Pub",
        "name": "dio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-31402"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-21T22:41:11Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nThe dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.\n\n### Patches\nThe vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0.\n\n### Workarounds\nCherry-pick the commit to your own fork can resolves the vulberability too.\n\n### References\n- https://nvd.nist.gov/vuln/detail/CVE-2021-31402\n- https://osv.dev/GHSA-jwpw-q68h-r678\n- https://github.com/cfug/dio/issues/1130\n- https://github.com/cfug/dio/issues/1752\n",
  "id": "GHSA-9324-jv53-9cc8",
  "modified": "2023-03-21T22:41:11Z",
  "published": "2023-03-21T22:41:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cfug/dio/security/advisories/GHSA-9324-jv53-9cc8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31402"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cfug/dio/issues/1752"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flutterchina/dio/issues/1130"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cfug/dio"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/GHSA-jwpw-q68h-r678"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PUB-DIO-5891148"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "dio vulnerable to CRLF injection with HTTP method string"
}

GHSA-95C2-PG6V-7HQP

Vulnerability from github – Published: 2026-07-01 06:31 – Updated: 2026-07-01 06:31
VLAI
Details

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to get_reply_to_address() processing the Reply-To display name through smart-tag expansion with context 'notification' instead of 'notification-reply-to', which bypasses email-address validation while wpforms_sanitize_textarea_field() intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw Reply-To: mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers — such as Bcc: — into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-01T05:16:17Z",
    "severity": "MODERATE"
  },
  "details": "The WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) in all versions up to, and including, 1.10.2 This is due to `get_reply_to_address()` processing the Reply-To display name through smart-tag expansion with context `\u0027notification\u0027` instead of `\u0027notification-reply-to\u0027`, which bypasses email-address validation while `wpforms_sanitize_textarea_field()` intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw `Reply-To:` mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers \u2014 such as `Bcc:` \u2014 into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.",
  "id": "GHSA-95c2-pg6v-7hqp",
  "modified": "2026-07-01T06:31:33Z",
  "published": "2026-07-01T06:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12127"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/includes/fields/class-textarea.php#L326"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Mailer.php#L368"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Notifications.php#L1098"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Notifications.php#L1138"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/includes/fields/class-textarea.php#L326"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Mailer.php#L368"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Notifications.php#L1098"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Notifications.php#L1138"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3586095/wpforms-lite/trunk/src/Emails/Mailer.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforms-lite/tags/1.10.2\u0026new_path=%2Fwpforms-lite/tags/1.10.2.1"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a51c22-c4ca-4897-ad7e-c5df00b07fe0?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99X9-VRRC-XXW3

Vulnerability from github – Published: 2024-05-31 18:31 – Updated: 2025-03-27 21:31
VLAI
Details

A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-31T18:15:09Z",
    "severity": "HIGH"
  },
  "details": "A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim\u2019s browser, thereby leading to cross-site scripting attack.",
  "id": "GHSA-99x9-vrrc-xxw3",
  "modified": "2025-03-27T21:31:15Z",
  "published": "2024-05-31T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38551"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-May-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CX9-X2GP-9QVH

Vulnerability from github – Published: 2021-06-29 21:24 – Updated: 2023-02-09 17:46
VLAI
Summary
CRLF vulnerability in Fiber
Details

Impact

The filename that is given in c.Attachment() is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc.

Steps to reproduce

package main

import "github.com/gofiber/fiber"

const badFileName = "another secret document.pdf\"\r\nLocation: google.com\r\nAuthorization: \"example_of_session_fixation"

func splitTheResponse(c *fiber.Ctx) {
    c.Attachment(badFileName)
}

func main() {
    app := fiber.New()
    app.Get("/attack", splitTheResponse)
    app.Listen("127.0.0.1:8080")
}
HTTP/1.1 200 OK
Date: Fri, 10 Jul 2020 19:47:04 GMT
Content-Type: application/octet-stream
Content-Length: 0
Content-Disposition: attachment; filename="another secret document.pdf"
Location: google.com
Authorization: "example_of_session_fixation"

Patches

This issue has been patched in v1.12.6 with commit 579 escaping the filename by default.

Workarounds

You could of course serialize the input yourself before passing it to ctx.Attachment(), this is actually a good practice by default. But in case you forget, we got you covered 👍

References

A CRLF injection attack is one of several types of injection attacks. It can be used to escalate to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning, cache-based defacement, and more. A CRLF injection vulnerability exists if an attacker can inject the CRLF characters into a web application, for example using a user input form or an HTTP request, see acunetix

For more information

If you have any questions or comments about this advisory: * Open an issue in gofiber/fiber * Join us on Discord

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/fiber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T19:14:18Z",
    "nvd_published_at": "2020-07-20T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe filename that is given in [c.Attachment()](https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc.\n\n### Steps to reproduce\n```go\npackage main\n\nimport \"github.com/gofiber/fiber\"\n\nconst badFileName = \"another secret document.pdf\\\"\\r\\nLocation: google.com\\r\\nAuthorization: \\\"example_of_session_fixation\"\n\nfunc splitTheResponse(c *fiber.Ctx) {\n\tc.Attachment(badFileName)\n}\n\nfunc main() {\n\tapp := fiber.New()\n\tapp.Get(\"/attack\", splitTheResponse)\n\tapp.Listen(\"127.0.0.1:8080\")\n}\n```\n```\nHTTP/1.1 200 OK\nDate: Fri, 10 Jul 2020 19:47:04 GMT\nContent-Type: application/octet-stream\nContent-Length: 0\nContent-Disposition: attachment; filename=\"another secret document.pdf\"\nLocation: google.com\nAuthorization: \"example_of_session_fixation\"\n```\n\n### Patches\nThis issue has been patched in `v1.12.6` with commit [579](https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f) escaping the filename by default.\n\n### Workarounds\nYou could of course serialize the input yourself before passing it to `ctx.Attachment()`, this is actually a good practice by default. But in case you forget, we got you covered \ud83d\udc4d \n\n### References\nA CRLF injection attack is one of several types of injection attacks. It can be used to escalate to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning, cache-based defacement, and more. A CRLF injection vulnerability exists if an attacker can inject the CRLF characters into a web application, for example using a user input form or an HTTP request, [see acunetix](https://www.acunetix.com/websitesecurity/crlf-injection/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [gofiber/fiber](https://github.com/gofiber/fiber)\n* Join us on [Discord](https://gofiber.io/discord)",
  "id": "GHSA-9cx9-x2gp-9qvh",
  "modified": "2023-02-09T17:46:27Z",
  "published": "2021-06-29T21:24:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15111"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/pull/579"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/commit/f698b5d5066cfe594102ae252cd58a1fe57cf56f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gofiber/fiber"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0108"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CRLF vulnerability in Fiber"
}

GHSA-9JXW-CFRH-JXQ6

Vulnerability from github – Published: 2021-08-30 16:11 – Updated: 2022-08-11 00:16
VLAI
Summary
Cachet vulnerable to new line injection during configuration edition
Details

Impact

Authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server.

Patches

This issue was addressed by improving UpdateConfigCommandHandler and preventing the use of new lines characters in new configuration values.

Workarounds

Only allow trusted source IP addresses to access to the administration dashboard.

References

  • https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection

For more information

If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "cachethq/cachet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-27T23:35:16Z",
    "nvd_published_at": "2021-08-27T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAuthenticated users, regardless of their privileges (_User_ or _Admin_), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server.\n\n### Patches\n\nThis issue was addressed by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values.\n\n### Workarounds\n\nOnly allow trusted source IP addresses to access to the administration dashboard.\n\n### References\n\n- https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection\n\n### For more information\n\nIf you have any questions or comments about this advisory, you can contact:\n- The original reporters, by sending an email to vulnerability.research [at] sonarsource.com;\n- The maintainers, by opening an issue on this repository.\n",
  "id": "GHSA-9jxw-cfrh-jxq6",
  "modified": "2022-08-11T00:16:20Z",
  "published": "2021-08-30T16:11:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fiveai/Cachet/security/advisories/GHSA-9jxw-cfrh-jxq6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39172"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fiveai/Cachet/commit/6442976c25930cb370c65a22784b9caee7ed1de2"
    },
    {
      "type": "WEB",
      "url": "https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fiveai/Cachet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fiveai/Cachet/releases/tag/v2.5.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cachet vulnerable to new line injection during configuration edition"
}

Mitigation
Implementation

Avoid using CRLF as a special sequence.

Mitigation
Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.