Common Weakness Enumeration

CWE-93

Allowed

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Abstraction: Base · Status: Draft

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

323 vulnerabilities reference this CWE, most recent first.

GHSA-2X39-J499-JV87

Vulnerability from github – Published: 2026-05-16 15:31 – Updated: 2026-05-19 15:31
VLAI
Details

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.

The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-16T14:16:37Z",
    "severity": "MODERATE"
  },
  "details": "Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections.\n\nThe metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.",
  "id": "GHSA-2x39-j499-jv87",
  "modified": "2026-05-19T15:31:21Z",
  "published": "2026-05-16T15:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46719"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robrwo/Net-Statsd-Lite/commit/e1a8ab866d75c2827982134e9cf7e51a7f771153.patch"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.9.0/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/16/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32PC-XPHX-Q4F6

Vulnerability from github – Published: 2018-07-12 20:30 – Updated: 2024-09-20 21:11
VLAI
Summary
Gunicorn contains Improper Neutralization of CRLF sequences in HTTP headers
Details

gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in "process_headers" function in "gunicorn/http/wsgi.py" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gunicorn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "19.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:53:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers vulnerability in \"process_headers\" function in \"gunicorn/http/wsgi.py\" that can result in an attacker causing the server to return arbitrary HTTP headers. This vulnerability appears to have been fixed in 19.5.0.",
  "id": "GHSA-32pc-xphx-q4f6",
  "modified": "2024-09-20T21:11:57Z",
  "published": "2018-07-12T20:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000164"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/gunicorn/issues/1227"
    },
    {
      "type": "WEB",
      "url": "https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-32pc-xphx-q4f6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/benoitc/gunicorn"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/gunicorn/PYSEC-2018-55.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4022-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gunicorn contains Improper Neutralization of CRLF sequences in HTTP headers"
}

GHSA-35WP-MQ65-94RH

Vulnerability from github – Published: 2022-05-14 02:46 – Updated: 2022-05-14 02:46
VLAI
Details

CRLF injection vulnerability in Infoblox Network Automation NetMRI before 7.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the contentType parameter in a login action to config/userAdmin/login.tdf.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-6484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-23T21:59:00Z",
    "severity": "MODERATE"
  },
  "details": "CRLF injection vulnerability in Infoblox Network Automation NetMRI before 7.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the contentType parameter in a login action to config/userAdmin/login.tdf.",
  "id": "GHSA-35wp-mq65-94rh",
  "modified": "2022-05-14T02:46:13Z",
  "published": "2022-05-14T02:46:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6484"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/138615/Infoblox-7.0.1-CRLF-Injection-HTTP-Response-Splitting.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/539366/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92794"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036736"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37FH-F35C-R73M

Vulnerability from github – Published: 2026-06-05 18:31 – Updated: 2026-06-08 21:31
VLAI
Details

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.

DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.

The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11362"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-05T16:16:41Z",
    "severity": "CRITICAL"
  },
  "details": "DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.\n\nDataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.\n\nThe format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections.  (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.)",
  "id": "GHSA-37fh-f35c-r73m",
  "modified": "2026-06-08T21:31:49Z",
  "published": "2026-06-05T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11362"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-46741"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-39H2-3MQ3-959G

Vulnerability from github – Published: 2026-01-21 00:31 – Updated: 2026-03-03 15:31
VLAI
Details

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-20T22:15:50Z",
    "severity": "MODERATE"
  },
  "details": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.",
  "id": "GHSA-39h2-3mq3-959g",
  "modified": "2026-03-03T15:31:35Z",
  "published": "2026-01-21T00:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11468"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/issues/143935"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/143936"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/003b8315669b9f08b1010a49071f73f15f818094"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/61614a5e5056e4f61ced65008d4576f3df34acb6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/a76e4cd62dd68e7cbe86e37e6ed988495a646b66"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/e9970f077240c7c670e8a6fc6662f2b30d3b6ad0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/f738386838021c762efea6c9802c82de65e87796"
    },
    {
      "type": "WEB",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3CVR-822R-RQCC

Vulnerability from github – Published: 2022-07-21 20:30 – Updated: 2022-07-21 20:30
VLAI
Summary
undici before v5.8.0 vulnerable to CRLF injection in request headers
Details

Impact

It is possible to inject CRLF sequences into request headers in Undici.

const undici = require('undici')

const response = undici.request("http://127.0.0.1:1000", {
  headers: {'a': "\r\nb"}
})

The same applies to path and method

Patches

Update to v5.8.0

Workarounds

Sanitize all HTTP headers from untrusted sources to eliminate \r\n.

References

https://hackerone.com/reports/409943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T20:30:10Z",
    "nvd_published_at": "2022-07-19T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIt is possible to inject CRLF sequences into request headers in Undici.\n\n```js\nconst undici = require(\u0027undici\u0027)\n\nconst response = undici.request(\"http://127.0.0.1:1000\", {\n  headers: {\u0027a\u0027: \"\\r\\nb\"}\n})\n```\n\nThe same applies to `path` and `method`\n\n### Patches\n\nUpdate to v5.8.0\n\n### Workarounds\n\nSanitize all HTTP headers from untrusted sources to eliminate `\\r\\n`.\n\n### References\n\nhttps://hackerone.com/reports/409943\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\n",
  "id": "GHSA-3cvr-822r-rqcc",
  "modified": "2022-07-21T20:30:10Z",
  "published": "2022-07-21T20:30:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31150"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/commit/a29a151d0140d095742d21a004023d024fe93259"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/409943"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodejs/undici"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/releases/tag/v5.8.0"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220915-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "undici before v5.8.0 vulnerable to CRLF injection in request headers"
}

GHSA-3HXG-FXWM-8GF7

Vulnerability from github – Published: 2024-11-04 23:23 – Updated: 2024-11-08 15:19
VLAI
Summary
CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes
Details

Summary

The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.

Details

The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method: https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328 This method does not check for CRLF characters in the header value.

This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.

PoC

The below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the "Authorization" header:

using Refit;

internal class Program
{
    private static void Main(string[] args)
    {
        // Usage: dotnet run <bearer token> 
        string token = args[0];
        var service = RestService.For<IStatusApi>("http://insert.some.site.here");
        string response = service.GetStatus(token).Result;
        Console.WriteLine($"Response: {response}");
    }

    public interface IStatusApi
    {
        [Get("/status")]
        Task<string> GetStatus([Authorize("Bearer")] string token);
    }
}

This application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):

anonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $'test\r\nUser-Agent: injected header!\r\n\r\nGET /smuggled HTTP/1.1\r\nHost: insert.some.site.here'
Response: <html></html>

The application intends to send a single request of the form:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer <bearer token>

But as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:

GET /status HTTP/1.1
Host: insert.some.site.here
Authorization: Bearer test
User-Agent: injected header!

and

GET /smuggled HTTP/1.1
Host: insert.some.site.here

This can be confirmed by checking the access logs on the server where these commands were run (with insert.some.site.here pointing to localhost):

anonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /status HTTP/1.1" 200 240 "-" "injected header!"
127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] "GET /smuggled HTTP/1.1" 404 436 "-" "-"

Impact

If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.

Strictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Refit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.2.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-04T23:23:17Z",
    "nvd_published_at": "2024-11-04T23:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection.\n\n### Details\nThe way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method: \u003chttps://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328\u003e\nThis method does not check for CRLF characters in the header value.\n\nThis means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests.\n\n### PoC\nThe below example code creates a console app that takes one command line variable (a bearer token) and then makes a request to some status page with the provided token inserted in the \"Authorization\" header:\n\n```c#\nusing Refit;\n\ninternal class Program\n{\n    private static void Main(string[] args)\n    {\n        // Usage: dotnet run \u003cbearer token\u003e \n        string token = args[0];\n        var service = RestService.For\u003cIStatusApi\u003e(\"http://insert.some.site.here\");\n        string response = service.GetStatus(token).Result;\n        Console.WriteLine($\"Response: {response}\");\n    }\n\n    public interface IStatusApi\n    {\n        [Get(\"/status\")]\n        Task\u003cstring\u003e GetStatus([Authorize(\"Bearer\")] string token);\n    }\n}\n```\n\nThis application is now vulnerable to CRLF-injection, and can thus be abused to for example perform request splitting and thus server side request forgery (SSRF):\n\n```bash\nanonymous@ubuntu-sofia-672448:~$ dotnet Refit-cli.dll $\u0027test\\r\\nUser-Agent: injected header!\\r\\n\\r\\nGET /smuggled HTTP/1.1\\r\\nHost: insert.some.site.here\u0027\nResponse: \u003chtml\u003e\u003c/html\u003e\n```\n\nThe application intends to send a single request of the form:\n```http\nGET /status HTTP/1.1\nHost: insert.some.site.here\nAuthorization: Bearer \u003cbearer token\u003e\n```\nBut as the application is vulnerable to CRLF injection the above command will instead result in the following two requests being sent:\n```http\nGET /status HTTP/1.1\nHost: insert.some.site.here\nAuthorization: Bearer test\nUser-Agent: injected header!\n```\nand\n```http\nGET /smuggled HTTP/1.1\nHost: insert.some.site.here\n```\n\nThis can be confirmed by checking the access logs on the server where these commands were run (with `insert.some.site.here` pointing to localhost):\n```bash\nanonymous@ubuntu-sofia-672448:~$ sudo tail /var/log/apache2/access.log\n127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] \"GET /status HTTP/1.1\" 200 240 \"-\" \"injected header!\"\n127.0.0.1 - - [29/Aug/2024:12:17:34 +0000] \"GET /smuggled HTTP/1.1\" 404 436 \"-\" \"-\"\n```\n\n### Impact\nIf an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery.\n\nStrictly speaking this is a potential vulnerability in applications using Refit, not in Refit itself, but I would argue that at the very least there needs to be a warning about this behaviour in the Refit documentation.\n\n",
  "id": "GHSA-3hxg-fxwm-8gf7",
  "modified": "2024-11-08T15:19:17Z",
  "published": "2024-11-04T23:23:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/reactiveui/refit/security/advisories/GHSA-3hxg-fxwm-8gf7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactiveui/refit/commit/483b1d8df18098f137ca0eca056b7e9ec19f70dd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reactiveui/refit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactiveui/refit/blob/258a771f44417c6e48e103ac921fe4786f3c2a1e/Refit/RequestBuilderImplementation.cs#L1328"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CRLF injection in Refit\u0027s [Header], [HeaderCollection] and [Authorize] attributes "
}

GHSA-3JVV-M32R-4HPF

Vulnerability from github – Published: 2023-07-06 06:30 – Updated: 2024-04-04 05:25
VLAI
Details

All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-06T05:15:09Z",
    "severity": "MODERATE"
  },
  "details": "All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \\r\\n (carriage return line feeds) characters and inject additional headers in the request sent.",
  "id": "GHSA-3jvv-m32r-4hpf",
  "modified": "2024-04-04T05:25:57Z",
  "published": "2023-07-06T06:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26138"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/dellalibera/d2abd809f32ec6c61be1f41d80edf61b"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665555"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MJ9-VRRP-55V4

Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-18 21:31
VLAI
Details

A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50682"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T20:15:50Z",
    "severity": "MODERATE"
  },
  "details": "A CRLF injection vulnerability in Kentico Xperience allows attackers to manipulate URL query string redirects via improper encoding in the routing engine. This could enable header injection and potentially facilitate further web application attacks.",
  "id": "GHSA-3mj9-vrrp-55v4",
  "modified": "2025-12-18T21:31:43Z",
  "published": "2025-12-18T21:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50682"
    },
    {
      "type": "WEB",
      "url": "https://devnet.kentico.com/download/hotfixes"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/kentico-xperience-routing-engine-crlf-injection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3WRH-PMFV-38F4

Vulnerability from github – Published: 2024-06-14 12:30 – Updated: 2024-07-03 18:45
VLAI
Details

A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-14T12:15:09Z",
    "severity": "HIGH"
  },
  "details": "A CRLF cross-site scripting vulnerability has been identified in certain configurations of the SiteMinder Web Agent for IIS Web Server and SiteMinder Web Agent for Domino Web Server. As a result, an attacker can execute arbitrary Javascript code in a client browser.",
  "id": "GHSA-3wrh-pmfv-38f4",
  "modified": "2024-07-03T18:45:19Z",
  "published": "2024-06-14T12:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36459"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Avoid using CRLF as a special sequence.

Mitigation
Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.