CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-CQ87-8R7H-962V
Vulnerability from github – Published: 2026-06-12 15:07 – Updated: 2026-06-12 15:07Programs using swift-nio is vulnerable to HTTP request smuggling and HTTP response splitting attacks, caused by insufficient validation of outbound HTTP/1.1 request and response start line components.
This vulnerability affects all swift-nio versions from 2.0.0 to 2.99.0. It is fixed in 2.100.0 and later releases.
This vulnerability is caused by the NIOHTTPRequestHeadersValidator and NIOHTTPResponseHeadersValidator channel handlers only validating header field names and values, while leaving the request URI, request method, and response reason phrase unvalidated. An attacker who can influence the content of these fields — for example by controlling a URL path or a custom HTTP method in a proxy application — can inject CR/LF sequences or other control characters into the HTTP start line. This allows construction of arbitrary additional HTTP requests or responses on the wire, a classic HTTP request smuggling or HTTP response splitting attack.
Exploiting this vulnerability requires the attacker to influence the content of outbound HTTP start line fields. In proxy applications that forward attacker-controlled URIs or methods, this is straightforward. For clients, a malicious server that triggers a redirect to a crafted URL could exploit the URI validation gap. For servers, any client that can cause the server to emit a crafted response reason phrase could exploit the response splitting gap.
In vulnerable applications, where attacker controlled data is supplied to these fields, the attack is low-effort: injecting a CRLF sequence into a URI or reason phrase requires only a single crafted request. Successful exploitation can allow an attacker to smuggle additional HTTP requests past intermediaries or split HTTP responses, potentially bypassing WAFs or poisoning web caches. However, most applications are not vulnerable at all.
The risk can be mitigated by ensuring that all user-controlled input is sanitized before being used in HTTP start line components. However, this mitigation places the burden on application developers and is error-prone.
The issue is fixed by extending NIOHTTPRequestHeadersValidator to validate request URIs against the character set defined in RFC 9112 Section 3.2 and RFC 3986 Section 3, and to validate custom HTTP methods against the token grammar defined in RFC 9110. NIOHTTPResponseHeadersValidator is extended to validate custom response reason phrases against RFC 9112 Section 4. Applications that use these validator channel handlers — which are installed by default when using addHTTPClientHandlers() or addHTTPServerHandlers() — will reject invalid outbound messages with an HTTPParserError.invalidHeaderToken error rather than emitting them to the network.
SwiftNIO is grateful to @kuranikaran and @YLChen-007 for their reporting and assistance with the project's process.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.99.0"
},
"package": {
"ecosystem": "SwiftURL",
"name": "github.com/apple/swift-nio"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.100.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28970"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T15:07:01Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Programs using swift-nio is vulnerable to HTTP request smuggling and HTTP response splitting attacks, caused by insufficient validation of outbound HTTP/1.1 request and response start line components.\n\nThis vulnerability affects all swift-nio versions from 2.0.0 to 2.99.0. It is fixed in 2.100.0 and later releases. \n \nThis vulnerability is caused by the `NIOHTTPRequestHeadersValidator` and `NIOHTTPResponseHeadersValidator` channel handlers only validating header field names and values, while leaving the request URI, request method, and response reason phrase unvalidated. An attacker who can influence the content of these fields \u2014 for example by controlling a URL path or a custom HTTP method in a proxy application \u2014 can inject CR/LF sequences or other control characters into the HTTP start line. This allows construction of arbitrary additional HTTP requests or responses on the wire, a classic HTTP request smuggling or HTTP response splitting attack.\n\nExploiting this vulnerability requires the attacker to influence the content of outbound HTTP start line fields. In proxy applications that forward attacker-controlled URIs or methods, this is straightforward. For clients, a malicious server that triggers a redirect to a crafted URL could exploit the URI validation gap. For servers, any client that can cause the server to emit a crafted response reason phrase could exploit the response splitting gap. \n \nIn vulnerable applications, where attacker controlled data is supplied to these fields, the attack is low-effort: injecting a CRLF sequence into a URI or reason phrase requires only a single crafted request. Successful exploitation can allow an attacker to smuggle additional HTTP requests past intermediaries or split HTTP responses, potentially bypassing WAFs or poisoning web caches. However, most applications are not vulnerable at all.\n \nThe risk can be mitigated by ensuring that all user-controlled input is sanitized before being used in HTTP start line components. However, this mitigation places the burden on application developers and is error-prone.\n \nThe issue is fixed by extending `NIOHTTPRequestHeadersValidator` to validate request URIs against the character set defined in RFC 9112 Section 3.2 and RFC 3986 Section 3, and to validate custom HTTP methods against the token grammar defined in RFC 9110. `NIOHTTPResponseHeadersValidator` is extended to validate custom response reason phrases against RFC 9112 Section 4. Applications that use these validator channel handlers \u2014 which are installed by default when using `addHTTPClientHandlers()` or `addHTTPServerHandlers()` \u2014 will reject invalid outbound messages with an HTTPParserError.invalidHeaderToken error rather than emitting them to the network.\n\nSwiftNIO is grateful to @kuranikaran and @YLChen-007 for their reporting and assistance with the project\u0027s process.",
"id": "GHSA-cq87-8r7h-962v",
"modified": "2026-06-12T15:07:01Z",
"published": "2026-06-12T15:07:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apple/swift-nio/security/advisories/GHSA-cq87-8r7h-962v"
},
{
"type": "PACKAGE",
"url": "https://github.com/apple/swift-nio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "SwiftNIO: CRLF Injection in outbound HTTP request URI via NIOHTTPRequestHeadersValidator"
}
GHSA-CRCG-R773-W4RV
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2022-05-13 01:09Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).
{
"affected": [],
"aliases": [
"CVE-2016-4975"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-14T12:29:00Z",
"severity": "MODERATE"
},
"details": "Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the \"Location\" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31).",
"id": "GHSA-crcg-r773-w4rv",
"modified": "2022-05-13T01:09:44Z",
"published": "2022-05-13T01:09:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4975"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20180926-0006"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105093"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F49H-4F4J-3RJC
Vulnerability from github – Published: 2024-05-22 12:32 – Updated: 2026-01-05 21:30A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265830 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-5193"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-22T11:15:53Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265830 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-f49h-4f4j-3rjc",
"modified": "2026-01-05T21:30:26Z",
"published": "2024-05-22T12:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5193"
},
{
"type": "WEB",
"url": "https://github.com/maximmasiutin/TinyWeb/commit/d49c3da6a97e950975b18626878f3ee1f082358e"
},
{
"type": "WEB",
"url": "https://github.com/DMCERTCE/CRLF_Tiny"
},
{
"type": "WEB",
"url": "https://github.com/maximmasiutin/TinyWeb/releases/tag/v1.99"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.265830"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.265830"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.333059"
},
{
"type": "WEB",
"url": "https://www.masiutin.net/tinyweb-cve-2024-5193.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F6HP-9PQ5-MM4G
Vulnerability from github – Published: 2025-07-29 15:31 – Updated: 2026-06-05 15:32Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in DECE Software Geodi allows HTTP Request Splitting.This issue affects Geodi: before GEODI Setup 9.0.146.
{
"affected": [],
"aliases": [
"CVE-2025-6175"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-29T13:15:28Z",
"severity": "HIGH"
},
"details": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in DECE Software Geodi allows HTTP Request Splitting.This issue affects Geodi: before GEODI Setup 9.0.146.",
"id": "GHSA-f6hp-9pq5-mm4g",
"modified": "2026-06-05T15:32:04Z",
"published": "2025-07-29T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6175"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0182"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F772-66G8-Q5H3
Vulnerability from github – Published: 2022-08-18 19:02 – Updated: 2023-01-19 01:01Impact
=< undici@5.8.0 users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header.
Example:
import { request } from 'undici'
const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1'
await request('http://localhost:3000, {
method: 'GET',
headers: {
'content-type': unsanitizedContentTypeInput
},
})
The above snippet will perform two requests in a single request API call:
1) http://localhost:3000/
2) http://localhost:3000/foo2
Patches
This issue was patched in Undici v5.8.1
Workarounds
Sanitize input when sending content-type headers using user input.
For more information
If you have any questions or comments about this advisory:
- Open an issue in undici repository
- To make a report, follow the SECURITY document
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.1"
},
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35948"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-18T19:02:56Z",
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n`=\u003c undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header.\n\nExample:\n\n```\nimport { request } from \u0027undici\u0027\n\nconst unsanitizedContentTypeInput = \u0027application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1\u0027\n\nawait request(\u0027http://localhost:3000, {\n method: \u0027GET\u0027,\n headers: {\n \u0027content-type\u0027: unsanitizedContentTypeInput\n },\n})\n```\n\nThe above snippet will perform two requests in a single `request` API call:\n\n1) `http://localhost:3000/`\n2) `http://localhost:3000/foo2`\n\n### Patches\n\nThis issue was patched in Undici v5.8.1\n\n### Workarounds\n\nSanitize input when sending content-type headers using user input.\n\n## For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n- To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document",
"id": "GHSA-f772-66g8-q5h3",
"modified": "2023-01-19T01:01:59Z",
"published": "2022-08-18T19:02:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35948"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/releases/tag/v5.8.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nodejs \u2018undici\u2019 vulnerable to CRLF Injection via Content-Type"
}
GHSA-F8FV-FV9M-8539
Vulnerability from github – Published: 2026-05-28 21:32 – Updated: 2026-05-29 00:38Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback.
{
"affected": [],
"aliases": [
"CVE-2026-49130"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T20:16:26Z",
"severity": "MODERATE"
},
"details": "Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat\u0027s decoding of numeric character references prior to the character data callback.",
"id": "GHSA-f8fv-fv9m-8539",
"modified": "2026-05-29T00:38:33Z",
"published": "2026-05-28T21:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49130"
},
{
"type": "WEB",
"url": "https://github.com/MusicPlayerDaemon/MPD/issues/2483"
},
{
"type": "WEB",
"url": "https://github.com/MusicPlayerDaemon/MPD/commit/855085b35c67dddeef0652e2cb3ac8cdd4f457b7"
},
{
"type": "WEB",
"url": "https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11"
},
{
"type": "WEB",
"url": "https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS"
},
{
"type": "WEB",
"url": "https://www.musicpd.org/news/2026/05/mpd-0-24-11-released"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/music-player-daemon-crlf-injection-via-xspfplaylistplugin-cxx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-F8P7-H97Q-7VX7
Vulnerability from github – Published: 2026-06-12 12:31 – Updated: 2026-06-12 18:31The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.
{
"affected": [],
"aliases": [
"CVE-2026-50629"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T10:16:22Z",
"severity": "HIGH"
},
"details": "The \u0027clientId\u0027 parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server\u0027s log files.\u00a0Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue.",
"id": "GHSA-f8p7-h97q-7vx7",
"modified": "2026-06-12T18:31:53Z",
"published": "2026-06-12T12:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50629"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/xw95po30p8th58ms1no6b0f2375cql00"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/11/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F9VR-G2G2-X9FG
Vulnerability from github – Published: 2026-06-26 21:59 – Updated: 2026-06-26 21:59Summary
CRLF injection in hackney's WebSocket upgrade request builder (src/hackney_ws.erl). init/1 copies the host, path, headers, and protocols options from the caller-supplied opts map verbatim into #ws_data{}, and do_handshake/1 splices them directly into the raw HTTP/1.1 upgrade request by binary concatenation with no \r\n or \0 stripping. A caller that passes any of these fields from untrusted input can inject arbitrary header lines into the outbound upgrade request.
Details
do_handshake/1 builds the upgrade request at several concatenation sites:
- Host header (lines 583–590): the host binary is written straight into
Host: <host>:<port>\r\n. - Sec-WebSocket-Protocol (lines 601–602): protocol tokens are joined with
,and appended as a header line. - Extra headers (line 606): caller-supplied
{Name, Value}tuples are concatenated asName: Value\r\nwith no sanitization of either component. - Request path (line 611): the path is interpolated into the
GET <path> HTTP/1.1\r\nrequest line.
None of these sites reject \r, \n, or \0. A header value like <<"benign\r\nAuthorization: Bearer token">> produces two distinct header lines on the wire. A path with an embedded \r\n rewrites the request line itself.
PoC
- Call
:hackney_ws.start_link/1withheaders: [{"X-User", "v\r\nAuthorization: Bearer attacker"}]. - Connect to a raw TCP listener and capture the bytes hackney writes.
- The request contains a standalone
Authorization: Bearer attackerline that the upstream WebSocket server parses as a legitimate header.
Impact
Header injection / request smuggling in outbound WebSocket upgrades. Affects hackney 2.0.0 through 4.0.0 wherever host, path, headers, or protocols options are populated from network or user input. Consequences include forging authentication headers toward the upstream server, log and cache poisoning, and request smuggling through intermediary proxies. CVSS v4.0: 6.9 (MEDIUM).
Resources
- Introduction commit: https://github.com/benoitc/hackney/commit/690cecaf236fba49526da404a5bc889a24367a3e
- Patch commit: https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "hackney"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47072"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:59:44Z",
"nvd_published_at": "2026-05-25T15:16:22Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nCRLF injection in hackney\u0027s WebSocket upgrade request builder (`src/hackney_ws.erl`). `init/1` copies the `host`, `path`, `headers`, and `protocols` options from the caller-supplied opts map verbatim into `#ws_data{}`, and `do_handshake/1` splices them directly into the raw HTTP/1.1 upgrade request by binary concatenation with no `\\r\\n` or `\\0` stripping. A caller that passes any of these fields from untrusted input can inject arbitrary header lines into the outbound upgrade request.\n\n### Details\n\n`do_handshake/1` builds the upgrade request at several concatenation sites:\n\n- **Host header** (lines 583\u2013590): the host binary is written straight into `Host: \u003chost\u003e:\u003cport\u003e\\r\\n`.\n- **Sec-WebSocket-Protocol** (lines 601\u2013602): protocol tokens are joined with `, ` and appended as a header line.\n- **Extra headers** (line 606): caller-supplied `{Name, Value}` tuples are concatenated as `Name: Value\\r\\n` with no sanitization of either component.\n- **Request path** (line 611): the path is interpolated into the `GET \u003cpath\u003e HTTP/1.1\\r\\n` request line.\n\nNone of these sites reject `\\r`, `\\n`, or `\\0`. A header value like `\u003c\u003c\"benign\\r\\nAuthorization: Bearer token\"\u003e\u003e` produces two distinct header lines on the wire. A path with an embedded `\\r\\n` rewrites the request line itself.\n\n### PoC\n\n1. Call `:hackney_ws.start_link/1` with `headers: [{\"X-User\", \"v\\r\\nAuthorization: Bearer attacker\"}]`.\n2. Connect to a raw TCP listener and capture the bytes hackney writes.\n3. The request contains a standalone `Authorization: Bearer attacker` line that the upstream WebSocket server parses as a legitimate header.\n\n### Impact\n\nHeader injection / request smuggling in outbound WebSocket upgrades. Affects hackney 2.0.0 through 4.0.0 wherever `host`, `path`, `headers`, or `protocols` options are populated from network or user input. Consequences include forging authentication headers toward the upstream server, log and cache poisoning, and request smuggling through intermediary proxies. CVSS v4.0: **6.9 (MEDIUM)**.\n\n## Resources\n\n* Introduction commit: https://github.com/benoitc/hackney/commit/690cecaf236fba49526da404a5bc889a24367a3e\n* Patch commit: https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1",
"id": "GHSA-f9vr-g2g2-x9fg",
"modified": "2026-06-26T21:59:44Z",
"published": "2026-06-26T21:59:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47072"
},
{
"type": "WEB",
"url": "https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-47072.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/benoitc/hackney"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hackney has CRLF / header injection in WebSocket upgrade request"
}
GHSA-FFGX-7Q59-GRGC
Vulnerability from github – Published: 2026-05-27 00:31 – Updated: 2026-05-28 18:30Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections.
The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).
{
"affected": [],
"aliases": [
"CVE-2026-46740"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T23:16:20Z",
"severity": "MODERATE"
},
"details": "Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections.\n\nThe metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.\n\nVersion 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720).",
"id": "GHSA-ffgx-7q59-grgc",
"modified": "2026-05-28T18:30:26Z",
"published": "2026-05-27T00:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46740"
},
{
"type": "WEB",
"url": "https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G2WM-735Q-3F56
Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-06-08 20:17Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.
cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.
This issue affects cowlib from 2.9.0.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "cowlib"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"last_affected": "2.16.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43969"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:48:35Z",
"nvd_published_at": "2026-05-11T19:16:25Z",
"severity": "LOW"
},
"details": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.\n\ncow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting \"; admin=1\" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check.\n\nThis issue affects cowlib from 2.9.0.",
"id": "GHSA-g2wm-735q-3f56",
"modified": "2026-06-08T20:17:02Z",
"published": "2026-05-11T21:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43969"
},
{
"type": "WEB",
"url": "https://github.com/erlef/cowlib/commit/177953dd51540da11090666c1f007214127a1144"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-43969.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/ninenines/cowlib"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43969"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "cowlib: Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1"
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.