CWE-113
AllowedImproper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Abstraction: Variant · Status: Incomplete
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
177 vulnerabilities reference this CWE, most recent first.
GHSA-2VRM-GR82-F7M5
Vulnerability from github – Published: 2026-04-01 21:20 – Updated: 2026-04-06 16:46Summary
An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.
Impact
If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.
Patch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.3"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34514"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T21:20:06Z",
"nvd_published_at": "2026-04-01T21:16:59Z",
"severity": "LOW"
},
"details": "### Summary\n\nAn attacker who controls the `content_type` parameter in aiohttp could use this to inject extra headers or similar exploits.\n\n### Impact\n\nIf an application allows untrusted data to be used for the multipart `content_type` parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06",
"id": "GHSA-2vrm-gr82-f7m5",
"modified": "2026-04-06T16:46:49Z",
"published": "2026-04-01T21:20:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34514"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "AIOHTTP has CRLF injection through multipart part content type header construction"
}
GHSA-334H-JMQC-FX27
Vulnerability from github – Published: 2022-05-14 01:44 – Updated: 2022-05-14 01:44Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a denial of service can occur for ~1 minute by sending a specially crafted HTTP request.
{
"affected": [],
"aliases": [
"CVE-2018-7830"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-30T19:29:00Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a denial of service can occur for ~1 minute by sending a specially crafted HTTP request.",
"id": "GHSA-334h-jmqc-fx27",
"modified": "2022-05-14T01:44:38Z",
"published": "2022-05-14T01:44:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7830"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2018-327-01"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/tra-2018-38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-33VF-4XGG-9R58
Vulnerability from github – Published: 2020-03-03 23:33 – Updated: 2023-05-16 16:16Impact
If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses.
Patches
This has been fixed in 4.3.3 and 3.12.4.
Workarounds
Users can not allow untrusted/user input in the Early Hints response header.
For more information
If you have any questions or comments about this advisory: * Open an issue in puma * Email us a project maintainer. Email addresses are listed in our Code of Conduct.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5249"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2020-03-02T15:03:13Z",
"nvd_published_at": "2020-03-02T16:15:12Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting).\n\nWhile not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).\n\nThis is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v), which fixed this vulnerability but only for regular responses.\n\n### Patches\nThis has been fixed in 4.3.3 and 3.12.4.\n\n### Workarounds\nUsers can not allow untrusted/user input in the Early Hints response header.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [puma](https://github.com/puma/puma)\n* Email us a project maintainer. [Email addresses are listed in our Code of Conduct](https://github.com/puma/puma/blob/master/CODE_OF_CONDUCT.md#enforcement).",
"id": "GHSA-33vf-4xgg-9r58",
"modified": "2023-05-16T16:16:20Z",
"published": "2020-03-03T23:33:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5249"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3"
},
{
"type": "PACKAGE",
"url": "https://github.com/puma/puma"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "HTTP Response Splitting (Early Hints) in Puma"
}
GHSA-34HG-76XW-P647
Vulnerability from github – Published: 2022-05-14 01:33 – Updated: 2022-05-14 01:33HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, EP-30VA firmware versions released prior to 2017 June 19, EP-707A firmware versions released prior to 2017 August 1, EP-708A firmware versions released prior to 2017 August 7, EP-709A firmware versions released prior to 2017 June 12, EP-777A firmware versions released prior to 2017 August 1, EP-807AB/AW/AR firmware versions released prior to 2017 August 1, EP-808AB/AW/AR firmware versions released prior to 2017 August 7, EP-879AB/AW/AR firmware versions released prior to 2017 June 12, EP-907F firmware versions released prior to 2017 August 1, EP-977A3 firmware versions released prior to 2017 August 1, EP-978A3 firmware versions released prior to 2017 August 7, EP-979A3 firmware versions released prior to 2017 June 12, EP-M570T firmware versions released prior to 2017 September 6, EW-M5071FT firmware versions released prior to 2017 November 2, EW-M660FT firmware versions released prior to 2018 April 19, EW-M770T firmware versions released prior to 2017 September 6, PF-70 firmware versions released prior to 2018 April 20, PF-71 firmware versions released prior to 2017 July 18, PF-81 firmware versions released prior to 2017 September 14, PX-048A firmware versions released prior to 2017 July 4, PX-049A firmware versions released prior to 2017 September 11, PX-437A firmware versions released prior to 2017 July 24, PX-M350F firmware versions released prior to 2018 February 23, PX-M5040F firmware versions released prior to 2017 November 20, PX-M5041F firmware versions released prior to 2017 November 20, PX-M650A firmware versions released prior to 2017 October 17, PX-M650F firmware versions released prior to 2017 October 17, PX-M680F firmware versions released prior to 2017 June 29, PX-M7050F firmware versions released prior to 2017 October 13, PX-M7050FP firmware versions released prior to 2017 October 13, PX-M7050FX firmware versions released prior to 2017 November 7, PX-M7070FX firmware versions released prior to 2017 April 27, PX-M740F firmware versions released prior to 2017 December 4, PX-M741F firmware versions released prior to 2017 December 4, PX-M780F firmware versions released prior to 2017 June 29, PX-M781F firmware versions released prior to 2017 June 27, PX-M840F firmware versions released prior to 2017 November 16, PX-M840FX firmware versions released prior to 2017 December 8, PX-M860F firmware versions released prior to 2017 October 25, PX-S05B/W firmware versions released prior to 2018 March 9, PX-S350 firmware versions released prior to 2018 February 23, PX-S5040 firmware versions released prior to 2017 November 20, PX-S7050 firmware versions released prior to 2018 February 21, PX-S7050PS firmware versions released prior to 2018 February 21, PX-S7050X firmware versions released prior to 2017 November 7, PX-S7070X firmware versions released prior to 2017 April 27, PX-S740 firmware versions released prior to 2017 December 3, PX-S840 firmware versions released prior to 2017 November 16, PX-S840X firmware versions released prior to 2017 December 8, PX-S860 firmware versions released prior to 2017 December 7) may allow a remote attackers to lead a user to a phishing site or execute an arbitrary script on the user's web browser.
{
"affected": [],
"aliases": [
"CVE-2018-0689"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-09T23:29:00Z",
"severity": "HIGH"
},
"details": "HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, EP-30VA firmware versions released prior to 2017 June 19, EP-707A firmware versions released prior to 2017 August 1, EP-708A firmware versions released prior to 2017 August 7, EP-709A firmware versions released prior to 2017 June 12, EP-777A firmware versions released prior to 2017 August 1, EP-807AB/AW/AR firmware versions released prior to 2017 August 1, EP-808AB/AW/AR firmware versions released prior to 2017 August 7, EP-879AB/AW/AR firmware versions released prior to 2017 June 12, EP-907F firmware versions released prior to 2017 August 1, EP-977A3 firmware versions released prior to 2017 August 1, EP-978A3 firmware versions released prior to 2017 August 7, EP-979A3 firmware versions released prior to 2017 June 12, EP-M570T firmware versions released prior to 2017 September 6, EW-M5071FT firmware versions released prior to 2017 November 2, EW-M660FT firmware versions released prior to 2018 April 19, EW-M770T firmware versions released prior to 2017 September 6, PF-70 firmware versions released prior to 2018 April 20, PF-71 firmware versions released prior to 2017 July 18, PF-81 firmware versions released prior to 2017 September 14, PX-048A firmware versions released prior to 2017 July 4, PX-049A firmware versions released prior to 2017 September 11, PX-437A firmware versions released prior to 2017 July 24, PX-M350F firmware versions released prior to 2018 February 23, PX-M5040F firmware versions released prior to 2017 November 20, PX-M5041F firmware versions released prior to 2017 November 20, PX-M650A firmware versions released prior to 2017 October 17, PX-M650F firmware versions released prior to 2017 October 17, PX-M680F firmware versions released prior to 2017 June 29, PX-M7050F firmware versions released prior to 2017 October 13, PX-M7050FP firmware versions released prior to 2017 October 13, PX-M7050FX firmware versions released prior to 2017 November 7, PX-M7070FX firmware versions released prior to 2017 April 27, PX-M740F firmware versions released prior to 2017 December 4, PX-M741F firmware versions released prior to 2017 December 4, PX-M780F firmware versions released prior to 2017 June 29, PX-M781F firmware versions released prior to 2017 June 27, PX-M840F firmware versions released prior to 2017 November 16, PX-M840FX firmware versions released prior to 2017 December 8, PX-M860F firmware versions released prior to 2017 October 25, PX-S05B/W firmware versions released prior to 2018 March 9, PX-S350 firmware versions released prior to 2018 February 23, PX-S5040 firmware versions released prior to 2017 November 20, PX-S7050 firmware versions released prior to 2018 February 21, PX-S7050PS firmware versions released prior to 2018 February 21, PX-S7050X firmware versions released prior to 2017 November 7, PX-S7070X firmware versions released prior to 2017 April 27, PX-S740 firmware versions released prior to 2017 December 3, PX-S840 firmware versions released prior to 2017 November 16, PX-S840X firmware versions released prior to 2017 December 8, PX-S860 firmware versions released prior to 2017 December 7) may allow a remote attackers to lead a user to a phishing site or execute an arbitrary script on the user\u0027s web browser.",
"id": "GHSA-34hg-76xw-p647",
"modified": "2022-05-14T01:33:54Z",
"published": "2022-05-14T01:33:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0689"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN89767228/index.html"
},
{
"type": "WEB",
"url": "https://www.epson.jp/support/misc/20181203_oshirase.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-35FR-H7JR-HH86
Vulnerability from github – Published: 2019-12-06 18:55 – Updated: 2021-04-27 18:03Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response.
Impact
- Cross-User Defacement
- Cache Poisoning
- Cross-Site Scripting (XSS)
- Page Hijacking
Root Cause
The root cause is due to the usage of Netty without the HTTP header validation.
https://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/common/DefaultHttpHeaders.java#L23
Patches
This vulnerability has been patched in 0.97.0.
References
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') https://github.com/ratpack/ratpack/security/advisories/GHSA-mvqp-q37c-wf9j
For more information
If you have any questions or comments about this advisory: * Open an issue in GitHub
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.linecorp.armeria:armeria"
},
"ranges": [
{
"events": [
{
"introduced": "0.85.0"
},
{
"fixed": "0.97.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-27T18:03:07Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response.\n\n### Impact\n\n1. Cross-User Defacement\n2. Cache Poisoning\n3. Cross-Site Scripting (XSS)\n4. Page Hijacking\n\n\n### Root Cause\n\nThe root cause is due to the usage of Netty without the HTTP header validation.\n\nhttps://github.com/line/armeria/blob/f0d870fde1088114070be31b67f7df0a21e835c6/core/src/main/java/com/linecorp/armeria/common/DefaultHttpHeaders.java#L23\n\n### Patches\n\nThis vulnerability has been patched in 0.97.0.\n\n### References\n\n[CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)](https://cwe.mitre.org/data/definitions/113.html)\nhttps://github.com/ratpack/ratpack/security/advisories/GHSA-mvqp-q37c-wf9j\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub](https://github.com/line/armeria/issues)",
"id": "GHSA-35fr-h7jr-hh86",
"modified": "2021-04-27T18:03:07Z",
"published": "2019-12-06T18:55:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) in Armeria"
}
GHSA-3885-GG9G-8J6J
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2023-06-26 18:30A vulnerability exists in the http web interface where the web interface does not validate data in an HTTP header. This causes a possible HTTP response splitting, which if exploited could lead an attacker to channel down harmful code into the user’s web browser, such as to steal the session cookies. Thus, an attacker who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., the link is sent per E-Mail, could trick the user into downloading malicious software onto his computer. This issue affects: Hitachi Energy MSM V2.2 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2021-40336"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-352",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T15:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability exists in the http web interface where the web interface does not validate data in an HTTP header. This causes a possible HTTP response splitting, which if exploited could lead an attacker to channel down harmful code into the user\u2019s web browser, such as to steal the session cookies. Thus, an attacker who successfully makes an MSM user who has already established a session to MSM web interface clicks a forged link to the MSM web interface, e.g., the link is sent per E-Mail, could trick the user into downloading malicious software onto his computer. This issue affects: Hitachi Energy MSM V2.2 and prior versions.",
"id": "GHSA-3885-gg9g-8j6j",
"modified": "2023-06-26T18:30:21Z",
"published": "2022-07-26T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40336"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=8DBD000085\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3F78-WQ4J-7VGR
Vulnerability from github – Published: 2023-01-17 21:30 – Updated: 2023-01-25 03:30Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
{
"affected": [],
"aliases": [
"CVE-2022-37436"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-436"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-17T20:15:00Z",
"severity": "MODERATE"
},
"details": "Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.",
"id": "GHSA-3f78-wq4j-7vgr",
"modified": "2023-01-25T03:30:32Z",
"published": "2023-01-17T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37436"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3HRH-PFW6-9M5X
Vulnerability from github – Published: 2026-06-04 17:59 – Updated: 2026-06-04 17:59Summary
The serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes.
Details
When constructing a Set-Cookie header value, serialize() appends the sameSite and priority option values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing ; or line-feed characters, passes through unchanged.
The validation guard that rejects ;, \r, and \n from domain and path is not applied to sameSite or priority. An application that passes a request-derived value to either option therefore provides an injection point into the header line.
This issue arises when an application passes user-controlled input to the sameSite or priority option of setCookie() or serialize().
Impact
An attacker who can control the sameSite or priority option value may inject additional attributes into a Set-Cookie response header.
This may lead to:
- Cookie attribute injection — overriding
Domain,Path,HttpOnly,Secure, orMax-Agefor the affected cookie - HTTP response header injection on runtimes that do not strictly validate header values, enabling a second attacker-controlled
Set-Cookieheader in the same response
This issue affects applications that pass user-derived input into the sameSite or priority option of hono/cookie serialization functions.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hono"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.12.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47675"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-1287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T17:59:25Z",
"nvd_published_at": "2026-05-28T17:16:32Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `serialize()` function in `hono/cookie` validates `domain` and `path` options against characters that corrupt `Set-Cookie` header syntax (`;`, `\\r`, `\\n`), but does not apply the same validation to `sameSite` and `priority`. An application that passes user-controlled input into either option may produce a `Set-Cookie` response header containing attacker-chosen additional attributes.\n\n### Details\n\nWhen constructing a `Set-Cookie` header value, `serialize()` appends the `sameSite` and `priority` option values directly into the output string after a presentation-only transformation (capitalizing the first character). Although the TypeScript type signature constrains these options to specific string literals, that constraint is not enforced at runtime; any string value, including one containing `;` or line-feed characters, passes through unchanged.\n\nThe validation guard that rejects `;`, `\\r`, and `\\n` from `domain` and `path` is not applied to `sameSite` or `priority`. An application that passes a request-derived value to either option therefore provides an injection point into the header line.\n\nThis issue arises when an application passes user-controlled input to the `sameSite` or `priority` option of `setCookie()` or `serialize()`.\n\n### Impact\n\nAn attacker who can control the `sameSite` or `priority` option value may inject additional attributes into a `Set-Cookie` response header.\n\nThis may lead to:\n\n- Cookie attribute injection \u2014 overriding `Domain`, `Path`, `HttpOnly`, `Secure`, or `Max-Age` for the affected cookie\n- HTTP response header injection on runtimes that do not strictly validate header values, enabling a second attacker-controlled `Set-Cookie` header in the same response\n\nThis issue affects applications that pass user-derived input into the `sameSite` or `priority` option of `hono/cookie` serialization functions.",
"id": "GHSA-3hrh-pfw6-9m5x",
"modified": "2026-06-04T17:59:25Z",
"published": "2026-06-04T17:59:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-3hrh-pfw6-9m5x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47675"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/commit/905aedbc20661e0e2fa378783a7ec44a5c3df43d"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/hono"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/releases/tag/v4.12.21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection"
}
GHSA-3Q32-62V8-WP6J
Vulnerability from github – Published: 2022-05-17 03:49 – Updated: 2022-05-17 03:49CRLF injection vulnerability in Huawei FusionAccess before V100R006C00 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2016-6839"
],
"database_specific": {
"cwe_ids": [
"CWE-113"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-07T19:28:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in Huawei FusionAccess before V100R006C00 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
"id": "GHSA-3q32-62v8-wp6j",
"modified": "2022-05-17T03:49:15Z",
"published": "2022-05-17T03:49:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6839"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160817-01-fusionaccess-en"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92502"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3R2P-C9R5-PW6W
Vulnerability from github – Published: 2023-09-19 21:31 – Updated: 2024-04-04 07:44All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.
{
"affected": [],
"aliases": [
"CVE-2023-26142"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T05:15:41Z",
"severity": "MODERATE"
},
"details": "All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \\r\\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.",
"id": "GHSA-3r2p-c9r5-pw6w",
"modified": "2024-04-04T07:44:33Z",
"published": "2023-09-19T21:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26142"
},
{
"type": "WEB",
"url": "https://gist.github.com/dellalibera/9247769cc90ed96c0d72ddbcba88c65c"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-CROW-5665556"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Input Validation
Construct HTTP headers very carefully, avoiding the use of non-validated input data.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Strategy: Output Encoding
Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-105: HTTP Request Splitting
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).
See CanPrecede relationships for possible consequences.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-34: HTTP Response Splitting
An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.
See CanPrecede relationships for possible consequences.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.