CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-Q768-X9M6-M9QP
Vulnerability from github – Published: 2022-07-21 20:31 – Updated: 2022-07-21 20:31Impact
Authorization headers are already cleared on cross-origin redirect in https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.
However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in v5.8.0.
Workarounds
By default, this vulnerability is not exploitable.
Do not enable redirections, i.e. maxRedirections: 0 (the default).
References
https://hackerone.com/reports/1635514 https://curl.se/docs/CVE-2018-1000007.html https://curl.se/docs/CVE-2022-27776.html
For more information
If you have any questions or comments about this advisory: * Open an issue in undici repository * To make a report, follow the SECURITY document
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31151"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-601",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-21T20:31:05Z",
"nvd_published_at": "2022-07-21T04:15:00Z",
"severity": "LOW"
},
"details": "### Impact\n\nAuthorization headers are already cleared on cross-origin redirect in\nhttps://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.\n\nHowever, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\n\n### Patches\n\nThis was patched in v5.8.0.\n\n### Workarounds\n\nBy default, this vulnerability is not exploitable.\nDo not enable redirections, i.e. `maxRedirections: 0` (the default). \n\n### References\n\nhttps://hackerone.com/reports/1635514\nhttps://curl.se/docs/CVE-2018-1000007.html\nhttps://curl.se/docs/CVE-2022-27776.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\n",
"id": "GHSA-q768-x9m6-m9qp",
"modified": "2022-07-21T20:31:05Z",
"published": "2022-07-21T20:31:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31151"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/issues/872"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/pull/1441"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/commit/0a5bee9465e627be36bac88edf7d9bbc9626126d"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1635514"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220909-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect"
}
GHSA-Q7JX-V53G-848W
Vulnerability from github – Published: 2026-07-10 00:03 – Updated: 2026-07-10 00:03Summary
Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart Content-Type header with no validation. A param value containing \r\n splits the header line, allowing an attacker who controls any content-type parameter (charset, boundary parameter, etc.) to inject arbitrary headers into the outbound HTTP request.
Details
add_content_type_param/2 in lib/tesla/multipart.ex stores the supplied string directly in multipart.content_type_params without any CR/LF check. headers/1 then joins all params with "; " and appends the result verbatim to the Content-Type header value. Because HTTP headers are delimited by \r\n, a param containing that sequence breaks out of the header field and introduces new header lines before the adapter writes the request to the socket.
The precondition is that untrusted input reaches add_content_type_param/2, which is the normal pattern for applications that accept user-supplied charset values, file type parameters, or any other content-type extension fields.
PoC
- Call
Tesla.Multipart.add_content_type_param/2with a value containing\r\nX-Injected: pwned. - Pass the resulting
Multipartstruct as the request body via any Tesla adapter. - The raw request on the wire contains
X-Injected: pwnedas a standalone header line.
Impact
Low severity (CVSS v4.0: 2.1). Any application using tesla 0.8.0 through 1.18.2 that passes untrusted input into Tesla.Multipart.add_content_type_param/2 is affected. Consequences range from forging arbitrary outbound request headers to potential request smuggling against the upstream server. Fixed in tesla 1.18.3.
Workarounds
Validate content-type parameter strings before passing them to Tesla.Multipart.add_content_type_param/2, rejecting any value that contains \r or \n.
Reesources
- Introduction commit: https://github.com/elixir-tesla/tesla/commit/6ebfdb9abe9c6f119408045b933d82462decd351
- Patch commit: https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "tesla"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "1.18.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48596"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T00:03:12Z",
"nvd_published_at": "2026-06-02T20:16:38Z",
"severity": "LOW"
},
"details": "### Summary\n\n`Tesla.Multipart.add_content_type_param/2` appends caller-supplied strings to the multipart `Content-Type` header with no validation. A param value containing `\\r\\n` splits the header line, allowing an attacker who controls any content-type parameter (charset, boundary parameter, etc.) to inject arbitrary headers into the outbound HTTP request.\n\n### Details\n\n`add_content_type_param/2` in `lib/tesla/multipart.ex` stores the supplied string directly in `multipart.content_type_params` without any CR/LF check. `headers/1` then joins all params with `\"; \"` and appends the result verbatim to the `Content-Type` header value. Because HTTP headers are delimited by `\\r\\n`, a param containing that sequence breaks out of the header field and introduces new header lines before the adapter writes the request to the socket.\n\nThe precondition is that untrusted input reaches `add_content_type_param/2`, which is the normal pattern for applications that accept user-supplied charset values, file type parameters, or any other content-type extension fields.\n\n### PoC\n\n1. Call `Tesla.Multipart.add_content_type_param/2` with a value containing `\\r\\nX-Injected: pwned`.\n2. Pass the resulting `Multipart` struct as the request body via any Tesla adapter.\n3. The raw request on the wire contains `X-Injected: pwned` as a standalone header line.\n\n### Impact\n\nLow severity (CVSS v4.0: 2.1). Any application using `tesla` 0.8.0 through 1.18.2 that passes untrusted input into `Tesla.Multipart.add_content_type_param/2` is affected. Consequences range from forging arbitrary outbound request headers to potential request smuggling against the upstream server. Fixed in tesla 1.18.3.\n\n### Workarounds\n\nValidate content-type parameter strings before passing them to `Tesla.Multipart.add_content_type_param/2`, rejecting any value that contains `\\r` or `\\n`.\n\n### Reesources\n\n* Introduction commit: https://github.com/elixir-tesla/tesla/commit/6ebfdb9abe9c6f119408045b933d82462decd351\n* Patch commit: https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2",
"id": "GHSA-q7jx-v53g-848w",
"modified": "2026-07-10T00:03:12Z",
"published": "2026-07-10T00:03:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48596"
},
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-48596.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/elixir-tesla/tesla"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48596"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param`"
}
GHSA-Q83Q-GHHM-P7G4
Vulnerability from github – Published: 2026-06-10 21:31 – Updated: 2026-06-19 18:32Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.
The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.
Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
{
"affected": [],
"aliases": [
"CVE-2026-50637"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T19:16:37Z",
"severity": "HIGH"
},
"details": "Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.\n\nThe statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet.\n\nThe send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.\n\nVersion 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.",
"id": "GHSA-q83q-ghhm-p7g4",
"modified": "2026-06-19T18:32:30Z",
"published": "2026-06-10T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50637"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/PEVANS/Metrics-Any-Adapter-Statsd-0.04/changes"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46739"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50638"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50639"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q86F-FMQF-QRF6
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-09-05 21:08The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "mail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-9097"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:51:27Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.",
"id": "GHSA-q86f-fmqf-qrf6",
"modified": "2023-09-05T21:08:32Z",
"published": "2017-10-24T18:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9097"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/issues/215"
},
{
"type": "WEB",
"url": "https://github.com/mikel/mail/pull/1097"
},
{
"type": "WEB",
"url": "https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/137631"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-q86f-fmqf-qrf6"
},
{
"type": "PACKAGE",
"url": "https://github.com/mikel/mail"
},
{
"type": "WEB",
"url": "https://rubysec.com/advisories/mail-OSVDB-131677"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2015/12/11/3"
},
{
"type": "WEB",
"url": "http://www.mbsd.jp/Whitepaper/smtpi.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Mail Gem CRLF Injection vulnerability"
}
GHSA-Q89X-F52W-6HJ2
Vulnerability from github – Published: 2021-08-25 20:43 – Updated: 2023-06-13 17:39Serializing of headers to the socket did not filter the values for newline bytes (\r or \n), which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an application constructs headers based on unsanitized user input.
This issue was fixed by replacing all newline characters with a space during serialization of a header value.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "hyper"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.0"
},
{
"fixed": "0.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "hyper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18587"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:25:19Z",
"nvd_published_at": "2019-08-26T13:15:00Z",
"severity": "MODERATE"
},
"details": "Serializing of headers to the socket did not filter the values for newline bytes (\\r or \\n), which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an application constructs headers based on unsanitized user input.\n\nThis issue was fixed by replacing all newline characters with a space during serialization of a header value.",
"id": "GHSA-q89x-f52w-6hj2",
"modified": "2023-06-13T17:39:45Z",
"published": "2021-08-25T20:43:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18587"
},
{
"type": "PACKAGE",
"url": "https://github.com/hyperium/hyper"
},
{
"type": "WEB",
"url": "https://github.com/hyperium/hyper/wiki/Security-001"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2017-0002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Headers containing newline characters can split messages in hyper"
}
GHSA-QCQR-HCJQ-WHFQ
Vulnerability from github – Published: 2022-05-17 00:15 – Updated: 2022-07-12 22:14CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.0.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.wildfly:wildfly-undertow"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0.Final"
},
{
"fixed": "11.0.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-4993"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-12T22:14:44Z",
"nvd_published_at": "2016-09-26T14:59:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
"id": "GHSA-qcqr-hcjq-whfq",
"modified": "2022-07-12T22:14:44Z",
"published": "2022-05-17T00:15:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4993"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/commit/834496fb74ddda2af197940c70d08bab419fdf12"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3454"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3455"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:3458"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1344321"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/UNDERTOW-827"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1838.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1839.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1840.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1841.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Neutralization of CRLF Sequences in Wildfly Undertow"
}
GHSA-QFCM-R8PP-MRFM
Vulnerability from github – Published: 2023-09-29 06:30 – Updated: 2024-04-04 07:58All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.
{
"affected": [],
"aliases": [
"CVE-2023-26148"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-29T05:15:46Z",
"severity": "MODERATE"
},
"details": "All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \\r\\n (carriage return line feeds) characters and inject additional headers in the request sent.",
"id": "GHSA-qfcm-r8pp-mrfm",
"modified": "2024-04-04T07:58:01Z",
"published": "2023-09-29T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26148"
},
{
"type": "WEB",
"url": "https://gist.github.com/dellalibera/65d136066fdd5ea4dddaadaa9b0ba90e"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730769"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QH6H-825Q-Q4MX
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).
{
"affected": [],
"aliases": [
"CVE-2017-7528"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-22T16:29:00Z",
"severity": "MODERATE"
},
"details": "Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).",
"id": "GHSA-qh6h-825q-q4mx",
"modified": "2022-05-13T01:36:18Z",
"published": "2022-05-13T01:36:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7528"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7528"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105143"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QJ5R-2R5P-PHC7
Vulnerability from github – Published: 2025-08-06 18:31 – Updated: 2025-09-17 20:23Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.
Original Description
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-06T20:44:17Z",
"nvd_published_at": "2025-08-06T17:15:38Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.\n\n### Original Description\nA vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw\u0027s only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.",
"id": "GHSA-qj5r-2r5p-phc7",
"modified": "2025-09-17T20:23:58Z",
"published": "2025-08-06T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8419"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15336"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15337"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15338"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15339"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-8419"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385776"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability",
"withdrawn": "2025-09-17T20:23:58Z"
}
GHSA-QPMX-3RFJ-7RHV
Vulnerability from github – Published: 2026-05-27 20:42 – Updated: 2026-05-27 20:42Description
Symfony\Component\Mime\Address is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary.
The constructor accepts email addresses whose local-part (the part before @) is an RFC-5322 quoted string containing raw \r\n bytes, e.g. "x\r\nBcc: attacker@evil"@example.com. The stored address is later emitted verbatim into (1) the rendered message headers and (2) SmtpTransport's MAIL FROM:<...> / RCPT TO:<...> protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.
Resolution
The Address constructor now rejects addresses containing line breaks.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/mime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/mime"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/mime"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/mime"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45067"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T20:42:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Description\n\n`Symfony\\Component\\Mime\\Address` is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary.\n\nThe constructor accepts email addresses whose local-part (the part before `@`) is an RFC-5322 *quoted string* containing raw `\\r\\n` bytes, e.g. `\"x\\r\\nBcc: attacker@evil\"@example.com`. The stored address is later emitted verbatim into (1) the rendered message headers and (2) `SmtpTransport`\u0027s `MAIL FROM:\u003c...\u003e` / `RCPT TO:\u003c...\u003e` protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command.\n\n### Resolution\n\nThe `Address` constructor now rejects addresses containing line breaks.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604) for branch 5.4.\n\n### Credits\n\nWe would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.",
"id": "GHSA-qpmx-3rfj-7rhv",
"modified": "2026-05-27T20:42:07Z",
"published": "2026-05-27T20:42:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-qpmx-3rfj-7rhv"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/dc2dbd29211eb4ddc451373fa1374fb926e94604"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2026-45067.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45067.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45067"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\\Component\\Mime\\Address"
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.