CWE-113
AllowedImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Abstraction: Variant · Status: Incomplete
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
177 vulnerabilities reference this CWE, most recent first.
GHSA-F2Q8-66WC-MCGP
Vulnerability from github – Published: 2024-05-15 18:30 – Updated: 2024-05-15 18:30A vulnerability in the web-based management API of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack.
This vulnerability is due to insufficient input validation of some parameters that are passed to the web-based management API of the affected system. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to perform cross-site scripting (XSS) attacks, resulting in the execution of arbitrary script code in the browser of the targeted user, or could allow the attacker to access sensitive, browser-based information.
{
"affected": [],
"aliases": [
"CVE-2024-20392"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-15T18:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management API of Cisco AsyncOS Software for Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. \n\n This vulnerability is due to insufficient input validation of some parameters that are passed to the web-based management API of the affected system. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to perform cross-site scripting (XSS) attacks, resulting in the execution of arbitrary script code in the browser of the targeted user, or could allow the attacker to access sensitive, browser-based information.",
"id": "GHSA-f2q8-66wc-mcgp",
"modified": "2024-05-15T18:30:35Z",
"published": "2024-05-15T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20392"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-http-split-GLrnnOwS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8F7-69V5-W4VX
Vulnerability from github – Published: 2023-07-11 21:30 – Updated: 2023-11-25 12:30The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
{
"affected": [],
"aliases": [
"CVE-2023-29406"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-436"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-11T20:15:10Z",
"severity": "MODERATE"
},
"details": "The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.",
"id": "GHSA-f8f7-69v5-w4vx",
"modified": "2023-11-25T12:30:22Z",
"published": "2023-07-11T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406"
},
{
"type": "WEB",
"url": "https://go.dev/cl/506996"
},
{
"type": "WEB",
"url": "https://go.dev/issue/60374"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/2q13H6LEEx0"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1878"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230814-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FG5Q-R2Q5-QMH3
Vulnerability from github – Published: 2022-05-17 03:57 – Updated: 2024-04-23 22:29CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0"
},
{
"fixed": "6.38"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "6.0"
},
{
"fixed": "6.38"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-3166"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-23T22:29:18Z",
"nvd_published_at": "2016-04-12T15:59:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.",
"id": "GHSA-fg5q-r2q5-qmh3",
"modified": "2024-04-23T22:29:18Z",
"published": "2022-05-17T03:57:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3166"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-3166.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-3166.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/SA-CORE-2016-001"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3498"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/02/24/19"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/03/15/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Drupal CRLF injection vulnerability in the drupal_set_header function"
}
GHSA-FH2J-2J24-WJWP
Vulnerability from github – Published: 2023-09-29 06:30 – Updated: 2024-04-04 07:58All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-26147"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-29T05:15:46Z",
"severity": "MODERATE"
},
"details": "All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \\r\\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.",
"id": "GHSA-fh2j-2j24-wjwp",
"modified": "2024-04-04T07:58:00Z",
"published": "2023-09-29T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26147"
},
{
"type": "WEB",
"url": "https://gist.github.com/dellalibera/2be265b56b7b3b00de1a777b9dec0c7b"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730768"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FR94-63Q7-G53G
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response splitting attack. The vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses. An exploit could allow the attacker to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits. Cisco Bug IDs: CSCvf16705.
{
"affected": [],
"aliases": [
"CVE-2017-12309"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-16T07:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response splitting attack. The vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses. An exploit could allow the attacker to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits. Cisco Bug IDs: CSCvf16705.",
"id": "GHSA-fr94-63q7-g53g",
"modified": "2022-05-13T01:37:54Z",
"published": "2022-05-13T01:37:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12309"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171115-esa"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101928"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039831"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FVCV-3M26-PCQX
Vulnerability from github – Published: 2026-04-10 19:47 – Updated: 2026-05-20 00:25Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Summary
The Axios library is vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests.
Axios can be used as a gadget after pollution occurs elsewhere because header values merged from attacker-controlled prototype properties are not sanitized for CRLF (\r\n) characters before being written to the request. In affected deployments, this may enable limited request manipulation or metadata access as part of a higher-complexity exploit chain.
Severity: Moderate (CVSS 3.1 Base Score: 4.8)
Affected Versions: All versions (v0.x - v1.x)
Vulnerable Component: lib/adapters/http.js (Header Processing)
Usage of \"Helper\" Vulnerabilities
This issue requires a separate prototype pollution vulnerability in another library in the application stack (for example, qs, minimist, ini, or body-parser). If an attacker can pollute Object.prototype, Axios may pick up the polluted properties during config merge.
Because Axios does not sanitise these merged header values for CRLF (\r\n) characters, the polluted property can alter the structure of an outbound HTTP request.
Proof of Concept
1. The Setup (Simulated Pollution)
Imagine a scenario where a known vulnerability exists in a query parser. The attacker sends a payload that sets:
Object.prototype['x-amz-target'] = \"dummy\r\n\r\nPUT /latest/api/token HTTP/1.1\r\nHost: 169.254.169.254\r\nX-aws-ec2-metadata-token-ttl-seconds: 21600\r\n\r\nGET /ignore\";
2. The Gadget Trigger (Safe Code)
The application makes a completely safe, hardcoded request:
// This looks safe to the developer
await axios.get('https://analytics.internal/pings');
3. The Execution
Axios merges the prototype property x-amz-target into the request headers. It then writes the header value directly to the socket without validation.
Resulting HTTP traffic:
GET /pings HTTP/1.1
Host: analytics.internal
x-amz-target: dummy
PUT /latest/api/token HTTP/1.1
Host: 169.254.169.254
X-aws-ec2-metadata-token-ttl-seconds: 21600
GET /ignore HTTP/1.1
...
4. The Impact
In environments where requests can reach cloud metadata endpoints or sensitive internal services, the injected header content may help bypass expected request constraints and expose limited credentials or modify request semantics. This impact depends on application context and a separate prototype-pollution primitive.
Impact Analysis
- Confidentiality: May expose limited sensitive information in affected network environments.
- Integrity: May allow modification of outbound request structure or injected headers.
- Attack Complexity: Exploitation requires a separate prototype-pollution vulnerability and a reachable target service.
Recommended Fix
Validate all header values in lib/adapters/http.js and xhr.js before passing them to the underlying request function.
Patch Suggestion:
// In lib/adapters/http.js
utils.forEach(requestHeaders, function setRequestHeader(val, key) {
if (/[\r\n]/.test(val)) {
throw new Error('Security: Header value contains invalid characters');
}
// ... proceed to set header
});
References
- OWASP: CRLF Injection (CWE-113)
This report was generated as part of a security audit of the Axios library.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.15.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40175"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-444",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T19:47:16Z",
"nvd_published_at": "2026-04-10T20:16:22Z",
"severity": "MODERATE"
},
"details": "# Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain\n\n## Summary\nThe Axios library is vulnerable to a specific gadget-style attack chain in which **prototype pollution** in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests.\n\nAxios can be used as a gadget after pollution occurs elsewhere because header values merged from attacker-controlled prototype properties are not sanitized for CRLF (`\\r\\n`) characters before being written to the request. In affected deployments, this may enable limited request manipulation or metadata access as part of a higher-complexity exploit chain.\n\n**Severity**: Moderate (CVSS 3.1 Base Score: 4.8)\n**Affected Versions**: All versions (v0.x - v1.x)\n**Vulnerable Component**: `lib/adapters/http.js` (Header Processing)\n\n## Usage of \\\"Helper\\\" Vulnerabilities\nThis issue requires a separate **prototype pollution** vulnerability in another library in the application stack (for example, `qs`, `minimist`, `ini`, or `body-parser`). If an attacker can pollute `Object.prototype`, Axios may pick up the polluted properties during config merge.\n\nBecause Axios does not sanitise these merged header values for CRLF (`\\r\\n`) characters, the polluted property can alter the structure of an outbound HTTP request.\n\n## Proof of Concept\n\n### 1. The Setup (Simulated Pollution)\nImagine a scenario where a known vulnerability exists in a query parser. The attacker sends a payload that sets:\n```javascript\nObject.prototype[\u0027x-amz-target\u0027] = \\\"dummy\\r\\n\\r\\nPUT /latest/api/token HTTP/1.1\\r\\nHost: 169.254.169.254\\r\\nX-aws-ec2-metadata-token-ttl-seconds: 21600\\r\\n\\r\\nGET /ignore\\\";\n```\n\n### 2. The Gadget Trigger (Safe Code)\nThe application makes a completely safe, hardcoded request:\n```javascript\n// This looks safe to the developer\nawait axios.get(\u0027https://analytics.internal/pings\u0027); \n```\n\n### 3. The Execution\nAxios merges the prototype property `x-amz-target` into the request headers. It then writes the header value directly to the socket without validation.\n\n**Resulting HTTP traffic:**\n```http\nGET /pings HTTP/1.1\nHost: analytics.internal\nx-amz-target: dummy\n\nPUT /latest/api/token HTTP/1.1\nHost: 169.254.169.254\nX-aws-ec2-metadata-token-ttl-seconds: 21600\n\nGET /ignore HTTP/1.1\n...\n```\n\n### 4. The Impact\nIn environments where requests can reach cloud metadata endpoints or sensitive internal services, the injected header content may help bypass expected request constraints and expose limited credentials or modify request semantics. This impact depends on application context and a separate prototype-pollution primitive.\n\n## Impact Analysis\n- **Confidentiality**: May expose limited sensitive information in affected network environments.\n- **Integrity**: May allow modification of outbound request structure or injected headers.\n- **Attack Complexity**: Exploitation requires a separate prototype-pollution vulnerability and a reachable target service.\n\n## Recommended Fix\nValidate all header values in `lib/adapters/http.js` and `xhr.js` before passing them to the underlying request function.\n\n**Patch Suggestion:**\n```javascript\n// In lib/adapters/http.js\nutils.forEach(requestHeaders, function setRequestHeader(val, key) {\n if (/[\\r\\n]/.test(val)) {\n throw new Error(\u0027Security: Header value contains invalid characters\u0027);\n }\n // ... proceed to set header\n});\n```\n\n## References\n- **OWASP**: CRLF Injection (CWE-113)\n\nThis report was generated as part of a security audit of the Axios library.",
"id": "GHSA-fvcv-3m26-pcqx",
"modified": "2026-05-20T00:25:27Z",
"published": "2026-04-10T19:47:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/pull/10660"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/pull/10660#issuecomment-4224168081"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/pull/10688"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-876049.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/axios/axios"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/releases/tag/v0.31.0"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/releases/tag/v1.15.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain"
}
GHSA-G2PG-XWQC-R429
Vulnerability from github – Published: 2022-05-14 01:36 – Updated: 2022-05-14 01:36The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response from the server, one or several HTTP Header. It requires an interaction with the user to send him the malicious link. It could be used to perform other attacks such as user redirection to a malicious website, HTTP response splitting, or HTTP cache poisoning.
{
"affected": [],
"aliases": [
"CVE-2018-11347"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-04T17:29:00Z",
"severity": "HIGH"
},
"details": "The YunoHost 2.7.2 through 2.7.14 web application is affected by one HTTP Response Header Injection. This flaw allows an attacker to inject, into the response from the server, one or several HTTP Header. It requires an interaction with the user to send him the malicious link. It could be used to perform other attacks such as user redirection to a malicious website, HTTP response splitting, or HTTP cache poisoning.",
"id": "GHSA-g2pg-xwqc-r429",
"modified": "2022-05-14T01:36:58Z",
"published": "2022-05-14T01:36:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11347"
},
{
"type": "WEB",
"url": "https://www.bishopfox.com/news/2018/10/yunohost-2-7-2-to-2-7-14-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GCGX-CHCP-HXP9
Vulnerability from github – Published: 2026-01-26 23:29 – Updated: 2026-01-29 03:25A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.
When making HTTP requests with user-controlled header values containing \r\n (CRLF), \n (LF), or \x00 (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.
Impact
An attacker who can control header values passed to Gakido's Client.get(), Client.post(), or other request methods could:
- Inject arbitrary HTTP headers - Add malicious headers to requests
- HTTP Response Splitting - Potentially manipulate responses in certain proxy configurations
- Cache Poisoning - Inject headers that could poison intermediate caches
- Session Fixation - Inject session-related headers
- Bypass Security Controls - Inject headers that bypass server-side security checks
Proof of Concept
from gakido import Client
# Before fix: X-Injected header would be sent as a separate header
c = Client(impersonate="chrome_120")
r = c.get("https://httpbin.org/headers", headers={
"User-Agent": "test\r\nX-Injected: pwned"
})
# The server would receive:
# User-Agent: test
# X-Injected: pwned
Affected Code
The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.
File: gakido/headers.py
Function: canonicalize_headers()
Fix
The fix adds a _sanitize_header() function that strips \r, \n, and \x00 characters from both header names and values before they are included in HTTP requests.
def _sanitize_header(name: str, value: str) -> tuple[str, str]:
"""
Sanitize header name and value to prevent HTTP header injection (CRLF injection).
Strips CR, LF, and null bytes from both name and value.
"""
clean_name = name.replace("\r", "").replace("\n", "").replace("\x00", "")
clean_value = value.replace("\r", "").replace("\n", "").replace("\x00", "")
return clean_name, clean_value
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gakido"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24489"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-26T23:29:57Z",
"nvd_published_at": "2026-01-27T01:16:02Z",
"severity": "MODERATE"
},
"details": "A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.\n\nWhen making HTTP requests with user-controlled header values containing `\\r\\n` (CRLF), `\\n` (LF), or `\\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.\n\n## Impact\n\nAn attacker who can control header values passed to Gakido\u0027s `Client.get()`, `Client.post()`, or other request methods could:\n\n1. **Inject arbitrary HTTP headers** - Add malicious headers to requests\n2. **HTTP Response Splitting** - Potentially manipulate responses in certain proxy configurations\n3. **Cache Poisoning** - Inject headers that could poison intermediate caches\n4. **Session Fixation** - Inject session-related headers\n5. **Bypass Security Controls** - Inject headers that bypass server-side security checks\n\n## Proof of Concept\n\n```python\nfrom gakido import Client\n\n# Before fix: X-Injected header would be sent as a separate header\nc = Client(impersonate=\"chrome_120\")\nr = c.get(\"https://httpbin.org/headers\", headers={\n \"User-Agent\": \"test\\r\\nX-Injected: pwned\"\n})\n\n# The server would receive:\n# User-Agent: test\n# X-Injected: pwned\n```\n\n## Affected Code\n\nThe vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.\n\n**File:** `gakido/headers.py` \n**Function:** `canonicalize_headers()`\n\n## Fix\n\nThe fix adds a `_sanitize_header()` function that strips `\\r`, `\\n`, and `\\x00` characters from both header names and values before they are included in HTTP requests.\n\n```python\ndef _sanitize_header(name: str, value: str) -\u003e tuple[str, str]:\n \"\"\"\n Sanitize header name and value to prevent HTTP header injection (CRLF injection).\n Strips CR, LF, and null bytes from both name and value.\n \"\"\"\n clean_name = name.replace(\"\\r\", \"\").replace(\"\\n\", \"\").replace(\"\\x00\", \"\")\n clean_value = value.replace(\"\\r\", \"\").replace(\"\\n\", \"\").replace(\"\\x00\", \"\")\n return clean_name, clean_value\n```",
"id": "GHSA-gcgx-chcp-hxp9",
"modified": "2026-01-29T03:25:02Z",
"published": "2026-01-26T23:29:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24489"
},
{
"type": "WEB",
"url": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788"
},
{
"type": "PACKAGE",
"url": "https://github.com/HappyHackingSpace/gakido"
},
{
"type": "WEB",
"url": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gakido vulnerable to HTTP Header Injection (CRLF Injection) "
}
GHSA-GFH7-VC32-58W3
Vulnerability from github – Published: 2022-05-01 18:34 – Updated: 2022-05-01 18:34CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2007-5595"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-10-19T23:17:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in the drupal_goto function in includes/common.inc Drupal 4.7.x before 4.7.8 and 5.x before 5.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
"id": "GHSA-gfh7-vc32-58w3",
"modified": "2022-05-01T18:34:55Z",
"published": "2022-05-01T18:34:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5595"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37264"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html"
},
{
"type": "WEB",
"url": "http://drupal.org/node/184315"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27292"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27352"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/26119"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/3546"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H395-QCRW-5VMQ
Vulnerability from github – Published: 2021-06-23 17:53 – Updated: 2024-05-20 19:29When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. This affects all versions of package github.com/gin-gonic/gin under 1.7.7.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gin-gonic/gin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28483"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T21:46:50Z",
"nvd_published_at": "2021-01-20T18:15:00Z",
"severity": "HIGH"
},
"details": "When gin is exposed directly to the internet, a client\u0027s IP can be spoofed by setting the X-Forwarded-For header. This affects all versions of package github.com/gin-gonic/gin under 1.7.7. ",
"id": "GHSA-h395-qcrw-5vmq",
"modified": "2024-05-20T19:29:07Z",
"published": "2021-06-23T17:53:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28483"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/issues/2232"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/issues/2473"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/issues/2862"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2474"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2474#23issuecomment-729696437"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2632"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2675"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2844"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/pull/2844/files#diff-e6ce689a25eaef174c2dd51fe869fabbe04a6c6afbd416b23eda138c82e761baR1432"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/commit/03e5e05ae089bc989f1ca41841f05504d29e3fd9"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/commit/5929d521715610c9dd14898ebbe1d188d5de8937"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/commit/bfc8ca285eb46dad60e037d57c545cd260636711"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0052"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/releases/tag/v1.7.7"
},
{
"type": "WEB",
"url": "https://github.com/gin-gonic/gin/releases/tag/v1.7.0"
},
{
"type": "PACKAGE",
"url": "https://github.com/gin-gonic/gin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Inconsistent Interpretation of HTTP Requests in github.com/gin-gonic/gin"
}
Mitigation
Strategy: Input Validation
Construct HTTP headers very carefully, avoiding the use of non-validated input data.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Strategy: Output Encoding
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-105: HTTP Request Splitting
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-34: HTTP Response Splitting
An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.
See CanPrecede relationships for possible consequences.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.