CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-H22Q-G2C7-2JWJ
Vulnerability from github – Published: 2022-05-01 18:21 – Updated: 2023-09-22 21:41CRLF injection vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to inject arbitrary HTTP headers and probably conduct HTTP response splitting attacks via CRLF sequences in the url parameter. NOTE: this can be leveraged for cross-site scripting (XSS) attacks. NOTE: some of these details are obtained from third party information.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "joomla/application"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2007-4190"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-22T21:41:58Z",
"nvd_published_at": "2007-08-08T01:17:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to inject arbitrary HTTP headers and probably conduct HTTP response splitting attacks via CRLF sequences in the url parameter. NOTE: this can be leveraged for cross-site scripting (XSS) attacks. NOTE: some of these details are obtained from third party information.",
"id": "GHSA-h22q-g2c7-2jwj",
"modified": "2023-09-22T21:41:58Z",
"published": "2022-05-01T18:21:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4190"
},
{
"type": "PACKAGE",
"url": "https://github.com/joomla/joomla-cms"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20071001212343/http://www.joomla.org/content/view/3677/1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Joomla! vulnerable to CRLF injection"
}
GHSA-H2VR-GV3V-GQHP
Vulnerability from github – Published: 2024-12-06 18:30 – Updated: 2025-09-23 15:31An improper neutralization of CRLF sequences ('CRLF Injection') vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.
We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.2.2950 build 20241114 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.2.2952 build 20241116 and later
{
"affected": [],
"aliases": [
"CVE-2024-48868"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T17:15:09Z",
"severity": "HIGH"
},
"details": "An improper neutralization of CRLF sequences (\u0027CRLF Injection\u0027) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to modify application data.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.1.9.2954 build 20241120 and later\nQTS 5.2.2.2950 build 20241114 and later\nQuTS hero h5.1.9.2954 build 20241120 and later\nQuTS hero h5.2.2.2952 build 20241116 and later",
"id": "GHSA-h2vr-gv3v-gqhp",
"modified": "2025-09-23T15:31:06Z",
"published": "2024-12-06T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48868"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-24-49"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H838-7G67-J96H
Vulnerability from github – Published: 2026-07-14 18:31 – Updated: 2026-07-14 18:31A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data.
An authenticated user with sufficient privileges may be able to modify account settings and gain elevated administrative privileges.
{
"affected": [],
"aliases": [
"CVE-2026-15429"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:16:44Z",
"severity": "MODERATE"
},
"details": "A privilege escalation vulnerability exists in the HTTP authentication component in Archer VX1800v v1. Improper handling of user-controlled input may allow newline characters to be injected into internally constructed configuration data.\u00a0\n\n\n\n\n\n\n\n\n\nAn\nauthenticated user with sufficient privileges may be able to modify account\nsettings and gain elevated administrative privileges.",
"id": "GHSA-h838-7g67-j96h",
"modified": "2026-07-14T18:31:57Z",
"published": "2026-07-14T18:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15429"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/download/archer-vx1800v/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/faq/5189"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HJXQ-7W9Q-2JW6
Vulnerability from github – Published: 2026-04-10 18:31 – Updated: 2026-06-30 18:31CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
{
"affected": [],
"aliases": [
"CVE-2026-1502"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T18:16:40Z",
"severity": "MODERATE"
},
"details": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
"id": "GHSA-hjxq-7w9q-2jw6",
"modified": "2026-06-30T18:31:31Z",
"published": "2026-04-10T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1502"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/146211"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/146212"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/56b7100b04e44ea27989242b176beb8f016b2c53"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/58703ec1bdd1eb075e8b01a0c427683ce594dd3e"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/9e071c9b28c17f347f81b388a003d4eeb3c7a8dd"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/c00c386faa579ad71196d33408644478488e43ec"
},
{
"type": "WEB",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/11/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HM49-WCQC-G2XG
Vulnerability from github – Published: 2026-05-04 22:04 – Updated: 2026-06-17 19:45Summary
Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands.
Details
Net::IMAP's generic argument handling, used by most command arguments, interprets string arguments as an IMAP astring. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either a atom, quoted, or literal. These are safe from command or argument injection.
But the following commands transform specific String arguments to Net::IMAP::RawData, which bypasses normal argument validation and encoding and prints the string directly to the socket:
* #uid_search, #search, #uid_sort, #sort, #uid_thread, #thread
* when criteria is a String, it is sent raw
* #uid_fetch, #fetch
* whenattris a String, it is sent raw
* whenattris an Array, each String inattris sent raw
*#uid_store,#store* whenattris a String, it is sent raw
*#setquota:
*limitis interpolated with#to_s` and that string is sent raw
Because these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context.
Using \"raw data\" arguments for #uid_store, #store, and #setquota I both inappropriate and unnecessary. Net::IMAP's generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input.
The API for search criteria and fetch attributes is intentionally low-level and \"close to the wire\". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection.
Although this was explicitly documented for search criteria, it was insufficiently documented for fetch attr. So developers may not have realized that the attr argument to #fetch and #uid_fetch is sent as \"raw data\".
Impact
If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.
The SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk.
The SORT and THREAD commands and their UID variants also handle their search criteria argument similarly to SEARCH and are subject to the same risk.
Expected use of Net::IMAP#setquota is much more limited: SETQUOTA is often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocol SETQUOTA command. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling #setquota with untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges.
Mitigation
- Update to a patched version of
net-imapwhich: - validates that
Net::IMAP::RawDatais composed of well-formed IMAPtext,literal, andliteral8values, with no unescapedNULL,CR, orLFbytes. - does not use
Net::IMAP::RawDatafor#store,#uid_store, or#setquota. - Prefer to send search criteria as an array of key value pairs. Avoid sending it as an interpolated string.
- If an immediate upgrade is not possible:
- String inputs to search criteria and fetch attributes can be validated against command injection by checking for
\rand\ncharacters. - Hard-coding the store
attrargument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application. - Use
Kernel#Integerto coerce and validate user controlled inputs to#setquotalimit.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.3"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "0.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.13"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "0.5.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.4.23"
},
"package": {
"ecosystem": "RubyGems",
"name": "net-imap"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42257"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T22:04:41Z",
"nvd_published_at": "2026-05-09T20:16:28Z",
"severity": "MODERATE"
},
"details": "### Summary\nSeveral `Net::IMAP` commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain `CRLF` sequences, which an attacker can use to inject arbitrary IMAP commands.\n\n### Details\n\n`Net::IMAP`\u0027s generic argument handling, used by most command arguments, interprets string arguments as an IMAP `astring`. Depending on the string contents and the connection\u0027s UTF-8 support, this encodes strings as either a `atom`, `quoted`, or `literal`. These are safe from command or argument injection.\n\nBut the following commands transform specific String arguments to `Net::IMAP::RawData`, which bypasses normal argument validation and encoding and prints the string directly to the socket:\n* `#uid_search`, `#search`, `#uid_sort`, `#sort`, `#uid_thread`, `#thread`\n * when `criteria` is a String, it is sent raw\n* `#uid_fetch`, `#fetch\n * when `attr` is a String, it is sent raw\n * when `attr` is an Array, each String in `attr` is sent raw\n* `#uid_store`, `#store`\n * when `attr` is a String, it is sent raw\n* `#setquota`:\n * `limit` is interpolated with `#to_s` and that string is sent raw\n\nBecause these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context.\n\nUsing \\\"raw data\\\" arguments for `#uid_store`, `#store`, and `#setquota` I both inappropriate and unnecessary. `Net::IMAP`\u0027s generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input.\n\nThe API for search criteria and fetch attributes is intentionally low-level and \\\"close to the wire\\\". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection.\n\nAlthough this was explicitly documented for search `criteria`, it was insufficiently documented for fetch `attr`. So developers may not have realized that the `attr` argument to `#fetch` and `#uid_fetch` is sent as \\\"raw data\\\".\n\n### Impact\n\nIf a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not _directly_ enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system\u0027s attributes, e.g.: shared mail folders or the application\u0027s installed response handlers.\n\nThe SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk.\n\nThe SORT and THREAD commands and their UID variants also handle their search criteria argument similarly to SEARCH and are subject to the same risk.\n\nExpected use of `Net::IMAP#setquota` is much more limited: `SETQUOTA` is often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocol `SETQUOTA` command. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling `#setquota` with untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges.\n\n### Mitigation\n - Update to a patched version of `net-imap` which:\n - validates that `Net::IMAP::RawData` is composed of well-formed IMAP `text`, `literal`, and `literal8` values, with no unescaped `NULL`, `CR`, or `LF` bytes.\n - does not use `Net::IMAP::RawData` for `#store`, `#uid_store`, or `#setquota`.\n - Prefer to send search criteria as an array of key value pairs. Avoid sending it as an interpolated string.\n - If an immediate upgrade is not possible:\n - String inputs to search criteria and fetch attributes can be validated against command injection by checking for `\\r` and `\\n` characters.\n - Hard-coding the store `attr` argument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application.\n - Use `Kernel#Integer` to coerce and validate user controlled inputs to `#setquota` limit.",
"id": "GHSA-hm49-wcqc-g2xg",
"modified": "2026-06-17T19:45:30Z",
"published": "2026-05-04T22:04:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42257"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/0ec4fd351263e8b9a4f683713427827b7b1ad974"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/47c72186d272441878ca73c9499f66013829ca2f"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/a4f7649c3da77dec7631f03a037a478eb4330048"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/net-imap"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
},
{
"type": "WEB",
"url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42257.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "net-imap vulnerable to command Injection via \"raw\" arguments to multiple commands"
}
GHSA-HMW2-7CC7-3QXX
Vulnerability from github – Published: 2026-06-15 17:26 – Updated: 2026-06-15 17:26Summary
form-data builds multipart/form-data request bodies. Through v4.0.5, the field name passed to FormData#append and the filename option are concatenated directly into the Content-Disposition header with no escaping of CR (\r), LF (\n), or ". An application that uses untrusted input as a field name or filename therefore lets an attacker terminate the header line and either inject additional headers or smuggle whole additional multipart parts into the request the application forwards to a backend.
This is CWE-93 (CRLF injection). It is a divergence from how browsers and the WHATWG HTML spec serialize form-data (they escape these characters), so the fix is to match that behavior. Severity is conditional: it depends on the consuming application passing attacker-controlled data as a field name or filename. Applications that only use fixed/trusted field names are not affected.
Details
In lib/form_data.js, _multiPartHeader builds the part header as:
'Content-Disposition': ['form-data', 'name="' + field + '"'].concat(contentDisposition || [])
and _getContentDisposition builds filename="' + filename + '"'. Neither escapes control characters, so a \r\n in field/filename ends the header line. The same applies to ", which can break out of the quoted parameter.
Proof of concept
const FormData = require('form-data');
const form = new FormData();
form.append('email"\r\nX-Injected: true\r\nfake="', 'user@example.com');
console.log(form.getBuffer().toString());
Before the fix this emits an injected X-Injected: true header line. A field name that also includes --<boundary> sequences can introduce additional parts (e.g. an extra name="is_admin" field), which a downstream parser accepts as legitimate.
Impact
For an application that uses untrusted field names/filenames:
- Field injection / override (integrity). Inject or override fields the backend trusts (e.g.
is_admin,role) — the primary demonstrated impact. - Header injection into the generated multipart part.
Claims of guaranteed privilege escalation, authentication bypass, high confidentiality impact, and availability impact are application-dependent downstream consequences, not properties of form-data itself, and are not demonstrated by the PoC.
Severity
The demonstrated, library-attributable impact is integrity (field/header injection); there is no demonstrated confidentiality disclosure or availability impact in form-data itself, and exploitation requires the consuming app to feed untrusted data into field names/filenames. A Moderate (≈5.3, I:L) rating is also defensible given that precondition.
Patch
Fixed in 4.0.6, 3.0.5, and 2.5.6. Users on older 0.x/1.x/2.x releases should upgrade to 2.5.6 or later.
The fix escapes \r, \n, and " as %0D, %0A, and %22 in field names and filenames, matching the WHATWG HTML multipart/form-data encoding algorithm that browsers implement. This neutralizes the injection while leaving ordinary field names (including name[0], dotted, and unicode names) unchanged.
Workaround
Until upgrading, validate or reject field names/filenames that contain control characters before calling append:
if (/[\r\n]/.test(field)) { throw new Error('invalid field name'); }
Credit
Reported by yueyueL.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "form-data"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "form-data"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "form-data"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-12143"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T17:26:26Z",
"nvd_published_at": "2026-06-12T19:16:26Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`form-data` builds `multipart/form-data` request bodies. Through v4.0.5, the `field` name passed to `FormData#append` and the `filename` option are concatenated directly into the `Content-Disposition` header with no escaping of CR (`\\r`), LF (`\\n`), or `\"`. An application that uses **untrusted input as a field name or filename** therefore lets an attacker terminate the header line and either inject additional headers or smuggle whole additional multipart parts into the request the application forwards to a backend.\n\nThis is CWE-93 (CRLF injection). It is a divergence from how browsers and the WHATWG HTML spec serialize form-data (they escape these characters), so the fix is to match that behavior. Severity is **conditional**: it depends on the consuming application passing attacker-controlled data as a field name or filename. Applications that only use fixed/trusted field names are not affected.\n\n## Details\n\nIn `lib/form_data.js`, `_multiPartHeader` builds the part header as:\n\n```javascript\n\u0027Content-Disposition\u0027: [\u0027form-data\u0027, \u0027name=\"\u0027 + field + \u0027\"\u0027].concat(contentDisposition || [])\n```\n\nand `_getContentDisposition` builds `filename=\"\u0027 + filename + \u0027\"\u0027`. Neither escapes control characters, so a `\\r\\n` in `field`/`filename` ends the header line. The same applies to `\"`, which can break out of the quoted parameter.\n\n### Proof of concept\n\n```javascript\nconst FormData = require(\u0027form-data\u0027);\nconst form = new FormData();\nform.append(\u0027email\"\\r\\nX-Injected: true\\r\\nfake=\"\u0027, \u0027user@example.com\u0027);\nconsole.log(form.getBuffer().toString());\n```\n\nBefore the fix this emits an injected `X-Injected: true` header line. A field name that also includes `--\u003cboundary\u003e` sequences can introduce additional parts (e.g. an extra `name=\"is_admin\"` field), which a downstream parser accepts as legitimate.\n\n## Impact\n\nFor an application that uses untrusted field names/filenames:\n\n- **Field injection / override (integrity).** Inject or override fields the backend trusts (e.g. `is_admin`, `role`) \u2014 the primary demonstrated impact.\n- **Header injection** into the generated multipart part.\n\nClaims of guaranteed privilege escalation, authentication bypass, high confidentiality impact, and availability impact are application-dependent downstream consequences, not properties of `form-data` itself, and are not demonstrated by the PoC.\n\n### Severity\n\nThe demonstrated, library-attributable impact is integrity (field/header injection); there is no demonstrated confidentiality disclosure or availability impact in `form-data` itself, and exploitation requires the consuming app to feed untrusted data into field names/filenames. A Moderate (\u22485.3, `I:L`) rating is also defensible given that precondition.\n\n## Patch\n\nFixed in **4.0.6**, **3.0.5**, and **2.5.6**. Users on older 0.x/1.x/2.x releases should upgrade to 2.5.6 or later.\n\nThe fix escapes `\\r`, `\\n`, and `\"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the WHATWG HTML `multipart/form-data` encoding algorithm that browsers implement. This neutralizes the injection while leaving ordinary field names (including `name[0]`, dotted, and unicode names) unchanged.\n\n## Workaround\n\nUntil upgrading, validate or reject field names/filenames that contain control characters before calling `append`:\n\n```javascript\nif (/[\\r\\n]/.test(field)) { throw new Error(\u0027invalid field name\u0027); }\n```\n\n## Credit\n\nReported by [yueyueL](https://github.com/yueyueL).",
"id": "GHSA-hmw2-7cc7-3qxx",
"modified": "2026-06-15T17:26:26Z",
"published": "2026-06-15T17:26:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12143"
},
{
"type": "WEB",
"url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
},
{
"type": "WEB",
"url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
},
{
"type": "WEB",
"url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
},
{
"type": "PACKAGE",
"url": "https://github.com/form-data/form-data"
},
{
"type": "WEB",
"url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/form-data"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "form-data: CRLF injection in form-data via unescaped multipart field names and filenames"
}
GHSA-HPGH-HPWG-532V
Vulnerability from github – Published: 2026-06-04 00:30 – Updated: 2026-06-04 21:31Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.
The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
{
"affected": [],
"aliases": [
"CVE-2026-8722"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T00:17:00Z",
"severity": "MODERATE"
},
"details": "Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections.\n\nThe metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.",
"id": "GHSA-hpgh-hpwg-532v",
"modified": "2026-06-04T21:31:20Z",
"published": "2026-06-04T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8722"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46719"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46720"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HQ7V-MX3G-29HW
Vulnerability from github – Published: 2026-06-11 13:04 – Updated: 2026-06-12 19:23Impact
guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString() or an equivalent custom serializer. Creating a Uri, Request, or other PSR-7 object alone is not sufficient. The malformed host must be copied into the serialized Host header without further validation.
A vulnerable flow is:
- An application accepts a user-controlled URL.
- The URL is used to construct a PSR-7
UriorRequest. - The host component contains CRLF or another header-unsafe character.
- The request is serialized into a raw HTTP/1.x message without an explicit
Hostheader. - The host is copied into the serialized
Hostheader. - The serialized request is written to the network or otherwise processed by software that does not independently reject the malformed host.
In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing "\r\nX-Injected: yes" can cause the generated Host header to span multiple HTTP header lines.
This is not the normal request-sending path used by guzzlehttp/guzzle. Applications using guzzlehttp/psr7 only through Guzzle's standard HTTP client APIs are not expected to be affected. Applications are most likely to be affected when they manually serialize PSR-7 requests, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, or similar request-dispatch code that serializes requests without independently validating URI hosts and header data. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed serialized request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request.
Patches
The issue is patched in 2.10.2 and later. 1.x is end-of-life and will not receive a patch.
Workarounds
If you cannot upgrade immediately, validate and reject all untrusted URI strings before constructing PSR-7 Uri or Request instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters:
if (preg_match('/[\x00-\x20\x7F]/', $untrustedUrl)) {
throw new \InvalidArgumentException('Insecure URL detected');
}
Applications that manually serialize or forward requests should also ensure the final HTTP client, transport, or serializer rejects invalid URI and header data before writing requests to the network.
References
- https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2
- https://www.rfc-editor.org/rfc/rfc9112.html#section-5
- https://www.rfc-editor.org/rfc/rfc9112.html#section-11.2
- https://www.rfc-editor.org/rfc/rfc9110.html#section-7.2
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "guzzlehttp/psr7"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49214"
],
"database_specific": {
"cwe_ids": [
"CWE-113",
"CWE-20",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T13:04:47Z",
"nvd_published_at": "2026-06-11T13:16:33Z",
"severity": "MODERATE"
},
"details": "## Impact\n\n`guzzlehttp/psr7` did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with `GuzzleHttp\\Psr7\\Message::toString()` or an equivalent custom serializer. Creating a `Uri`, `Request`, or other PSR-7 object alone is not sufficient. The malformed host must be copied into the serialized `Host` header without further validation.\n\nA vulnerable flow is:\n\n1. An application accepts a user-controlled URL.\n2. The URL is used to construct a PSR-7 `Uri` or `Request`.\n3. The host component contains CRLF or another header-unsafe character.\n4. The request is serialized into a raw HTTP/1.x message without an explicit `Host` header.\n5. The host is copied into the serialized `Host` header.\n6. The serialized request is written to the network or otherwise processed by software that does not independently reject the malformed host.\n\nIn that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing `\"\\r\\nX-Injected: yes\"` can cause the generated `Host` header to span multiple HTTP header lines.\n\nThis is not the normal request-sending path used by `guzzlehttp/guzzle`. Applications using `guzzlehttp/psr7` only through Guzzle\u0027s standard HTTP client APIs are not expected to be affected. Applications are most likely to be affected when they manually serialize PSR-7 requests, forward raw HTTP messages, or use custom transports, proxying, crawling, webhook delivery, or similar request-dispatch code that serializes requests without independently validating URI hosts and header data. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed serialized request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request.\n\n## Patches\n\nThe issue is patched in `2.10.2` and later. `1.x` is end-of-life and will not receive a patch.\n\n## Workarounds\n\nIf you cannot upgrade immediately, validate and reject all untrusted URI strings before constructing PSR-7 `Uri` or `Request` instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters:\n\n```php\nif (preg_match(\u0027/[\\x00-\\x20\\x7F]/\u0027, $untrustedUrl)) {\n throw new \\InvalidArgumentException(\u0027Insecure URL detected\u0027);\n}\n```\n\nApplications that manually serialize or forward requests should also ensure the final HTTP client, transport, or serializer rejects invalid URI and header data before writing requests to the network.\n\n## References\n\n* https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2\n* https://www.rfc-editor.org/rfc/rfc9112.html#section-5\n* https://www.rfc-editor.org/rfc/rfc9112.html#section-11.2\n* https://www.rfc-editor.org/rfc/rfc9110.html#section-7.2",
"id": "GHSA-hq7v-mx3g-29hw",
"modified": "2026-06-12T19:23:58Z",
"published": "2026-06-11T13:04:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/guzzle/psr7/security/advisories/GHSA-hq7v-mx3g-29hw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49214"
},
{
"type": "PACKAGE",
"url": "https://github.com/guzzle/psr7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "guzzlehttp/psr7 has CRLF Injection via URI Host Component"
}
GHSA-HR5V-C6V7-WV78
Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2022-05-14 03:46CRLF injection vulnerability in OXID eShop Professional Edition before 4.7.11 and 4.8.x before 4.8.4, Enterprise Edition before 5.0.11 and 5.1.x before 5.1.4, and Community Edition before 4.7.11 and 4.8.x before 4.8.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2014-2017"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-18T14:29:00Z",
"severity": "MODERATE"
},
"details": "CRLF injection vulnerability in OXID eShop Professional Edition before 4.7.11 and 4.8.x before 4.8.4, Enterprise Edition before 5.0.11 and 5.1.x before 5.1.4, and Community Edition before 4.7.11 and 4.8.x before 4.8.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
"id": "GHSA-hr5v-c6v7-wv78",
"modified": "2022-05-14T03:46:10Z",
"published": "2022-05-14T03:46:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2017"
},
{
"type": "WEB",
"url": "https://bugs.oxid-esales.com/view.php?id=5635"
},
{
"type": "WEB",
"url": "https://oxidforge.org/en/security-bulletin-2014-002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HV23-4QP7-8C8R
Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-06-08 20:16Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.
cow_sse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefix_lines/2 function used for data and comment fields splits only on \n. Because the SSE specification requires decoders to treat \r\n, \r, and \n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.
This issue affects cowlib from 2.6.0.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "cowlib"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.16.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43968"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T16:47:11Z",
"nvd_published_at": "2026-05-11T19:16:25Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.\n\ncow_sse:event/1 in cowlib guards the id and event fields against \\n but not against bare \\r, and the internal prefix_lines/2 function used for data and comment fields splits only on \\n. Because the SSE specification requires decoders to treat \\r\\n, \\r, and \\n as equivalent line terminators, an attacker who controls any of these fields can inject additional SSE lines and forge a complete event with an arbitrary event type and data payload on the receiving end. In typical deployments where browser EventSource clients or other SSE consumers dispatch on event.type and render event.data, this enables event splitting, client-side logic manipulation, and stored-XSS-equivalent behaviour when event data is inserted into the DOM.\n\nThis issue affects cowlib from 2.6.0.",
"id": "GHSA-hv23-4qp7-8c8r",
"modified": "2026-06-08T20:16:50Z",
"published": "2026-05-11T21:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43968"
},
{
"type": "WEB",
"url": "https://github.com/ninenines/cowlib/commit/6165fc40efa159ba1cceee7e7981e790acba5d9c"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-43968.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/ninenines/cowlib"
},
{
"type": "WEB",
"url": "https://github.com/ninenines/cowlib/releases/tag/2.16.1"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43968"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ninenines cowlib: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability allows SSE event splitting and injection via unvalidated field values"
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.