CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-MP55-P8C9-RFW2
Vulnerability from github – Published: 2026-06-26 21:54 – Updated: 2026-06-26 21:54Summary
CRLF injection in hackney_cookie:setcookie/3 (src/hackney_cookie.erl). The function validates Name and Value against CR/LF and control characters but concatenates the domain and path options verbatim into the output binary. If either option carries attacker-controlled data, a Host header forwarded as the cookie domain, a request URI forwarded as the cookie path, a \r\n in the value splits the Set-Cookie header and lets the attacker inject additional headers into the HTTP response.
Details
1. Asymmetric validation
Lines 27–34 of hackney_cookie.erl run binary:match on Name and Value, rejecting =, ,, ;, whitespace, \r, \n, \013, and \014. The Domain and Path options (lines 47 and 51) skip this check entirely and land straight in the result iolist:
[<<"; Domain=">>, Domain]
[<<"; Path=">>, Path]
iolist_to_binary(...) on line 63 flattens everything and returns it to the caller.
2. Injection
A Path of <<"/x\r\nSet-Cookie: admin=1; Path=/">> produces a binary with a literal \r\n. Written into a Set-Cookie response header, the receiving HTTP parser splits it into two headers — one legitimate, one attacker-controlled.
3. Realistic trigger
Common patterns: keying the cookie domain off Host, deriving the path from the request URI, or copying a Location path into a cookie. Any of these lets a remote attacker control the injected content.
PoC
- Call
hackney_cookie:setcookie(<<"sid">>, <<"abc">>, [{path, <<"/x\r\nSet-Cookie: admin=1; Path=/">>}]). - The returned binary contains a literal
\r\nfollowed by a secondSet-Cookie:line. - Write the result into a
Set-Cookieresponse header — the client parses two headers, includingadmin=1.
Impact
Cookie injection / HTTP response splitting at the hackney_cookie API boundary. Affects hackney 0.9.0 through 4.0.0 wherever domain or path options are populated from request data. Exploitation can overwrite session/auth cookies, fix cookies, or strip Secure/HttpOnly flags. CVSS v4.0: 2.1 (LOW) — requires attacker-controlled input to reach the domain or path option.
Resources
- Introduction commit: https://github.com/benoitc/hackney/commit/602d5c7f2ea4acbc83ed75230655d935a0750ebc
- Patch commit: https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "hackney"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47069"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:54:19Z",
"nvd_published_at": "2026-05-25T15:16:21Z",
"severity": "LOW"
},
"details": "### Summary\n\nCRLF injection in `hackney_cookie:setcookie/3` (`src/hackney_cookie.erl`). The function validates `Name` and `Value` against CR/LF and control characters but concatenates the `domain` and `path` options verbatim into the output binary. If either option carries attacker-controlled data, a `Host` header forwarded as the cookie domain, a request URI forwarded as the cookie path, a `\\r\\n` in the value splits the `Set-Cookie` header and lets the attacker inject additional headers into the HTTP response.\n\n### Details\n\n**1. Asymmetric validation**\n\nLines 27\u201334 of `hackney_cookie.erl` run `binary:match` on `Name` and `Value`, rejecting `=`, `,`, `;`, whitespace, `\\r`, `\\n`, `\\013`, and `\\014`. The `Domain` and `Path` options (lines 47 and 51) skip this check entirely and land straight in the result iolist:\n\n```erlang\n[\u003c\u003c\"; Domain=\"\u003e\u003e, Domain]\n[\u003c\u003c\"; Path=\"\u003e\u003e, Path]\n```\n\n`iolist_to_binary(...)` on line 63 flattens everything and returns it to the caller.\n\n**2. Injection**\n\nA `Path` of `\u003c\u003c\"/x\\r\\nSet-Cookie: admin=1; Path=/\"\u003e\u003e` produces a binary with a literal `\\r\\n`. Written into a `Set-Cookie` response header, the receiving HTTP parser splits it into two headers \u2014 one legitimate, one attacker-controlled.\n\n**3. Realistic trigger**\n\nCommon patterns: keying the cookie domain off `Host`, deriving the path from the request URI, or copying a `Location` path into a cookie. Any of these lets a remote attacker control the injected content.\n\n### PoC\n\n1. Call `hackney_cookie:setcookie(\u003c\u003c\"sid\"\u003e\u003e, \u003c\u003c\"abc\"\u003e\u003e, [{path, \u003c\u003c\"/x\\r\\nSet-Cookie: admin=1; Path=/\"\u003e\u003e}])`.\n2. The returned binary contains a literal `\\r\\n` followed by a second `Set-Cookie:` line.\n3. Write the result into a `Set-Cookie` response header \u2014 the client parses two headers, including `admin=1`.\n\n### Impact\n\nCookie injection / HTTP response splitting at the `hackney_cookie` API boundary. Affects hackney 0.9.0 through 4.0.0 wherever `domain` or `path` options are populated from request data. Exploitation can overwrite session/auth cookies, fix cookies, or strip `Secure`/`HttpOnly` flags. CVSS v4.0: **2.1 (LOW)** \u2014 requires attacker-controlled input to reach the `domain` or `path` option.\n\n## Resources\n\n* Introduction commit: https://github.com/benoitc/hackney/commit/602d5c7f2ea4acbc83ed75230655d935a0750ebc\n* Patch commit: https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540",
"id": "GHSA-mp55-p8c9-rfw2",
"modified": "2026-06-26T21:54:19Z",
"published": "2026-06-26T21:54:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47069"
},
{
"type": "WEB",
"url": "https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-47069.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/benoitc/hackney"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47069"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hackney has CRLF / header injection via unvalidated `domain` and `path` options"
}
GHSA-MWGH-92M2-WVHV
Vulnerability from github – Published: 2026-05-05 22:14 – Updated: 2026-05-13 14:20Summary
The unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines — including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import.
Details
Vulnerable code path
plugin/Scheduler/downloadICS.php — unauthenticated entry point:
if(!AVideoPlugin::isEnabledByName('Scheduler')){
forbiddenPage('Scheduler is disabled');
}
if(empty($_REQUEST['title'])){ forbiddenPage('Title cannot be empty'); }
if(empty($_REQUEST['date_start'])){ forbiddenPage('date_start cannot be empty'); }
Scheduler::downloadICS($_REQUEST['title'], $_REQUEST['date_start'], @$_REQUEST['date_end'],
@$_REQUEST['reminder'], @$_REQUEST['joinURL'], @$_REQUEST['description']);
There is no session check, no CSRF token, no user-role check — only an empty-check on title/date_start and a plugin-enabled check.
plugin/Scheduler/Scheduler.php:367-382 passes inputs directly to the ICS builder:
$props = array(
'location' => $location,
'description' => $description, // attacker-controlled
'dtstart' => $dtstart,
'dtend' => $dtend,
'summary' => $title, // attacker-controlled
'url' => $joinURL, // attacker-controlled
'valarm' => $VALARM,
);
$ics = new ICS($props);
...
echo $icsString;
objects/ICS.php:167-169 — incomplete escape:
private function escape_string($str) {
return preg_replace('/([\,;])/','\\\$1', $str);
}
Per RFC 5545 §3.3.11, TEXT values must also have CR/LF either folded or encoded as \n. This implementation does neither. ICS::to_string() (line 101) joins every property with "\r\n", so any raw \r\n sequence embedded in a value breaks out of the property line and injects new ICS directives.
Verified exploit output
Running the builder with a CRLF-laden description produces a file with two distinct VEVENT blocks (the second entirely attacker-controlled):
BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
CALSCALE:GREGORIAN
BEGIN:VEVENT
DESCRIPTION:Hello
END:VEVENT
BEGIN:VEVENT
SUMMARY:Injected
URL:http://attacker.com
DTSTART:20260501T000000Z
DTEND:20260501T130000Z
SUMMARY:Legit
URL;VALUE=URI:https://example.com
DTSTAMP:20260424T082123Z
UID:69eb2803d1aa2
END:VEVENT
END:VCALENDAR
The injected BEGIN:VEVENT / END:VEVENT pair is standards-compliant and parsed as an additional event by Outlook, Apple Calendar, Google Calendar, and Thunderbird/Lightning.
PoC
-
Ensure the Scheduler plugin is enabled on the target (default-shipped optional plugin, commonly enabled on streaming deployments).
-
Send an unauthenticated GET request with CRLF-encoded payload in
description:
curl -o malicious.ics \
'http://victim.example.com/plugin/Scheduler/downloadICS.php?title=Team%20Standup&date_start=2026-05-01+12:00&description=Hello%0D%0AEND:VEVENT%0D%0ABEGIN:VEVENT%0D%0ASUMMARY:URGENT%3A%20Password%20Reset%20Required%0D%0ADTSTART:20260601T090000Z%0D%0ADTEND:20260601T100000Z%0D%0AURL:http://attacker.com/phish%0D%0ALOCATION:Online%0D%0ADESCRIPTION:Please%20click%20the%20URL%20to%20confirm%20your%20identity'
- The returned file contains two
VEVENTblocks. Import into any standards-compliant calendar client — both events appear in the victim's calendar. The injected event renders with an attacker-chosen clickable URL.
Local reproduction (without needing a running server) using the same code path:
php -r "require 'objects/ICS.php'; \$p = ['description' => \"Hello\r\nEND:VEVENT\r\nBEGIN:VEVENT\r\nSUMMARY:Injected\r\nURL:http://attacker.com\", 'dtstart'=>'2026-05-01', 'dtend'=>'2026-05-01 13:00', 'summary'=>'Legit', 'url'=>'https://example.com']; echo (new ICS(\$p))->to_string();"
Produces the two-VEVENT output shown above (verified).
Impact
- Same-origin calendar phishing. The
.icsis served from the trusted AVideo domain, bypassing URL-reputation checks and email-filter suspicion of attacker-hosted attachments. - Arbitrary event spoofing. Attacker controls
SUMMARY,DTSTART,DTEND,URL,LOCATION,DESCRIPTION, and may add further ICS properties (e.g.ORGANIZER,ATTENDEE). Many mainstream calendar clients display theURLfield as a clickable link in the event body. - Integrity: Low — unwanted/forged events are added to the victim's calendar after they import the file.
- Auth: None. Precondition is only that the Scheduler plugin is enabled, which is typical on deployments that use AVideo's scheduled streaming features.
- Confidentiality / Availability: No direct impact.
Not a higher-severity response-splitting bug: PHP's header() blocks CRLF in response headers since 5.1.2, so the CRLF bytes do not escape into HTTP headers — only into the ICS body.
Recommended Fix
Strip or RFC-5545-encode CR/LF in ICS::escape_string() so newline bytes cannot break out of a property line. In objects/ICS.php:167-169:
private function escape_string($str) {
// RFC 5545 §3.3.11: escape backslash, semicolon, comma; encode newlines as \n
$str = str_replace(array("\\", "\r\n", "\r", "\n"), array("\\\\", "\\n", "\\n", "\\n"), $str);
return preg_replace('/([\,;])/', '\\\\$1', $str);
}
Additionally, plugin/Scheduler/downloadICS.php should either require authentication or at minimum apply strict input validation (length caps, character whitelists) on title, description, and joinURL — and joinURL should continue to be validated via isValidURL() (already done) before emission. Consider adding a defence-in-depth strip of CR/LF on every $_REQUEST parameter used by Scheduler::downloadICS().
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "29.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43882"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T22:14:31Z",
"nvd_published_at": "2026-05-11T22:22:12Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe unauthenticated `plugin/Scheduler/downloadICS.php` endpoint passes attacker-controlled `title`, `description`, and `joinURL` parameters into `Scheduler::downloadICS()`, which builds an ICS calendar file via the `ICS` helper class. `ICS::escape_string()` (`objects/ICS.php:167-169`) only escapes `,` and `;` and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines \u2014 including `END:VEVENT` / `BEGIN:VEVENT` pairs that add entire attacker-controlled calendar events. Because the malicious `.ics` file is served from the victim\u0027s trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen `SUMMARY`, `URL`, `LOCATION`, and `DESCRIPTION` landing in the victim\u0027s calendar after import.\n\n## Details\n\n### Vulnerable code path\n\n**`plugin/Scheduler/downloadICS.php`** \u2014 unauthenticated entry point:\n\n```php\nif(!AVideoPlugin::isEnabledByName(\u0027Scheduler\u0027)){\n forbiddenPage(\u0027Scheduler is disabled\u0027);\n}\nif(empty($_REQUEST[\u0027title\u0027])){ forbiddenPage(\u0027Title cannot be empty\u0027); }\nif(empty($_REQUEST[\u0027date_start\u0027])){ forbiddenPage(\u0027date_start cannot be empty\u0027); }\n\nScheduler::downloadICS($_REQUEST[\u0027title\u0027], $_REQUEST[\u0027date_start\u0027], @$_REQUEST[\u0027date_end\u0027],\n @$_REQUEST[\u0027reminder\u0027], @$_REQUEST[\u0027joinURL\u0027], @$_REQUEST[\u0027description\u0027]);\n```\n\nThere is no session check, no CSRF token, no user-role check \u2014 only an empty-check on `title`/`date_start` and a plugin-enabled check.\n\n**`plugin/Scheduler/Scheduler.php:367-382`** passes inputs directly to the ICS builder:\n\n```php\n$props = array(\n \u0027location\u0027 =\u003e $location,\n \u0027description\u0027 =\u003e $description, // attacker-controlled\n \u0027dtstart\u0027 =\u003e $dtstart,\n \u0027dtend\u0027 =\u003e $dtend,\n \u0027summary\u0027 =\u003e $title, // attacker-controlled\n \u0027url\u0027 =\u003e $joinURL, // attacker-controlled\n \u0027valarm\u0027 =\u003e $VALARM,\n);\n$ics = new ICS($props);\n...\necho $icsString;\n```\n\n**`objects/ICS.php:167-169`** \u2014 incomplete escape:\n\n```php\nprivate function escape_string($str) {\n return preg_replace(\u0027/([\\,;])/\u0027,\u0027\\\\\\$1\u0027, $str);\n}\n```\n\nPer RFC 5545 \u00a73.3.11, TEXT values must also have CR/LF either folded or encoded as `\\n`. This implementation does neither. `ICS::to_string()` (line 101) joins every property with `\"\\r\\n\"`, so any raw `\\r\\n` sequence embedded in a value breaks out of the property line and injects new ICS directives.\n\n### Verified exploit output\n\nRunning the builder with a CRLF-laden `description` produces a file with two distinct `VEVENT` blocks (the second entirely attacker-controlled):\n\n```\nBEGIN:VCALENDAR\nVERSION:2.0\nPRODID:-//hacksw/handcal//NONSGML v1.0//EN\nCALSCALE:GREGORIAN\nBEGIN:VEVENT\nDESCRIPTION:Hello\nEND:VEVENT\nBEGIN:VEVENT\nSUMMARY:Injected\nURL:http://attacker.com\nDTSTART:20260501T000000Z\nDTEND:20260501T130000Z\nSUMMARY:Legit\nURL;VALUE=URI:https://example.com\nDTSTAMP:20260424T082123Z\nUID:69eb2803d1aa2\nEND:VEVENT\nEND:VCALENDAR\n```\n\nThe injected `BEGIN:VEVENT` / `END:VEVENT` pair is standards-compliant and parsed as an additional event by Outlook, Apple Calendar, Google Calendar, and Thunderbird/Lightning.\n\n## PoC\n\n1. Ensure the Scheduler plugin is enabled on the target (default-shipped optional plugin, commonly enabled on streaming deployments).\n\n2. Send an unauthenticated GET request with CRLF-encoded payload in `description`:\n\n```\ncurl -o malicious.ics \\\n \u0027http://victim.example.com/plugin/Scheduler/downloadICS.php?title=Team%20Standup\u0026date_start=2026-05-01+12:00\u0026description=Hello%0D%0AEND:VEVENT%0D%0ABEGIN:VEVENT%0D%0ASUMMARY:URGENT%3A%20Password%20Reset%20Required%0D%0ADTSTART:20260601T090000Z%0D%0ADTEND:20260601T100000Z%0D%0AURL:http://attacker.com/phish%0D%0ALOCATION:Online%0D%0ADESCRIPTION:Please%20click%20the%20URL%20to%20confirm%20your%20identity\u0027\n```\n\n3. The returned file contains two `VEVENT` blocks. Import into any standards-compliant calendar client \u2014 both events appear in the victim\u0027s calendar. The injected event renders with an attacker-chosen clickable URL.\n\nLocal reproduction (without needing a running server) using the same code path:\n\n```\nphp -r \"require \u0027objects/ICS.php\u0027; \\$p = [\u0027description\u0027 =\u003e \\\"Hello\\r\\nEND:VEVENT\\r\\nBEGIN:VEVENT\\r\\nSUMMARY:Injected\\r\\nURL:http://attacker.com\\\", \u0027dtstart\u0027=\u003e\u00272026-05-01\u0027, \u0027dtend\u0027=\u003e\u00272026-05-01 13:00\u0027, \u0027summary\u0027=\u003e\u0027Legit\u0027, \u0027url\u0027=\u003e\u0027https://example.com\u0027]; echo (new ICS(\\$p))-\u003eto_string();\"\n```\n\nProduces the two-VEVENT output shown above (verified).\n\n## Impact\n\n- **Same-origin calendar phishing.** The `.ics` is served from the trusted AVideo domain, bypassing URL-reputation checks and email-filter suspicion of attacker-hosted attachments.\n- **Arbitrary event spoofing.** Attacker controls `SUMMARY`, `DTSTART`, `DTEND`, `URL`, `LOCATION`, `DESCRIPTION`, and may add further ICS properties (e.g. `ORGANIZER`, `ATTENDEE`). Many mainstream calendar clients display the `URL` field as a clickable link in the event body.\n- **Integrity:** Low \u2014 unwanted/forged events are added to the victim\u0027s calendar after they import the file.\n- **Auth:** None. Precondition is only that the Scheduler plugin is enabled, which is typical on deployments that use AVideo\u0027s scheduled streaming features.\n- **Confidentiality / Availability:** No direct impact.\n\nNot a higher-severity response-splitting bug: PHP\u0027s `header()` blocks CRLF in response headers since 5.1.2, so the CRLF bytes do not escape into HTTP headers \u2014 only into the ICS body.\n\n## Recommended Fix\n\nStrip or RFC-5545-encode CR/LF in `ICS::escape_string()` so newline bytes cannot break out of a property line. In `objects/ICS.php:167-169`:\n\n```php\nprivate function escape_string($str) {\n // RFC 5545 \u00a73.3.11: escape backslash, semicolon, comma; encode newlines as \\n\n $str = str_replace(array(\"\\\\\", \"\\r\\n\", \"\\r\", \"\\n\"), array(\"\\\\\\\\\", \"\\\\n\", \"\\\\n\", \"\\\\n\"), $str);\n return preg_replace(\u0027/([\\,;])/\u0027, \u0027\\\\\\\\$1\u0027, $str);\n}\n```\n\nAdditionally, `plugin/Scheduler/downloadICS.php` should either require authentication or at minimum apply strict input validation (length caps, character whitelists) on `title`, `description`, and `joinURL` \u2014 and `joinURL` should continue to be validated via `isValidURL()` (already done) before emission. Consider adding a defence-in-depth strip of CR/LF on every `$_REQUEST` parameter used by `Scheduler::downloadICS()`.",
"id": "GHSA-mwgh-92m2-wvhv",
"modified": "2026-05-13T14:20:32Z",
"published": "2026-05-05T22:14:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43882"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing"
}
GHSA-P3J2-V862-H3V3
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
{
"affected": [],
"aliases": [
"CVE-2019-9740"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-13T03:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.",
"id": "GHSA-p3j2-v862-h3v3",
"modified": "2022-05-13T01:11:47Z",
"published": "2022-05-13T01:11:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9740"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4127-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4127-1"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190619-0005"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-26"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Oct/29"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue36276"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3725"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3520"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3335"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2030"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1260"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154927/Slackware-Security-Advisory-python-Updates.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/02/04/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107466"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P69P-39VF-6X53
Vulnerability from github – Published: 2025-10-23 15:30 – Updated: 2025-10-23 18:31CRLF-injection in KeeneticOS before 4.3 at "/auth" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.
{
"affected": [],
"aliases": [
"CVE-2025-56007"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-23T15:15:39Z",
"severity": "MODERATE"
},
"details": "CRLF-injection in KeeneticOS before 4.3 at \"/auth\" API endpoint allows attackers to take over the device via adding additional users with full permissions by managing the victim to open page with exploit.",
"id": "GHSA-p69p-39vf-6x53",
"modified": "2025-10-23T18:31:14Z",
"published": "2025-10-23T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56007"
},
{
"type": "WEB",
"url": "https://keenetic.com"
},
{
"type": "WEB",
"url": "https://keenetic.com/global/security#october-2025-web-api-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P759-VW7C-CVG8
Vulnerability from github – Published: 2022-05-14 03:00 – Updated: 2025-04-12 12:57Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.
{
"affected": [],
"aliases": [
"CVE-2016-3115"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-03-22T10:59:00Z",
"severity": "MODERATE"
},
"details": "Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.",
"id": "GHSA-p759-vw7c-cvg8",
"modified": "2025-04-12T12:57:53Z",
"published": "2022-05-14T03:00:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3115"
},
{
"type": "WEB",
"url": "https://bto.bluecoat.com/security-advisory/sa121"
},
{
"type": "WEB",
"url": "https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201612-18"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39569"
},
{
"type": "WEB",
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-16:14.openssh.asc"
},
{
"type": "WEB",
"url": "http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c"
},
{
"type": "WEB",
"url": "http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c.diff?r1=1.281\u0026r2=1.282\u0026f=h"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183101.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183122.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178838.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179924.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-March/180491.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184264.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/136234/OpenSSH-7.2p1-xauth-Command-Injection-Bypass.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0465.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0466.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2016/Mar/46"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2016/Mar/47"
},
{
"type": "WEB",
"url": "http://www.openssh.com/txt/x11fwd.adv"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/84314"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1035249"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P83Q-QMCG-VF64
Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2025-04-20 03:37HTTP header injection vulnerability in TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier may allow a remote attackers to display false information.
{
"affected": [],
"aliases": [
"CVE-2017-2111"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-28T16:59:00Z",
"severity": "MODERATE"
},
"details": "HTTP header injection vulnerability in TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier may allow a remote attackers to display false information.",
"id": "GHSA-p83q-qmcg-vf64",
"modified": "2025-04-20T03:37:01Z",
"published": "2022-05-17T02:46:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2111"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN46830433/index.html"
},
{
"type": "WEB",
"url": "http://www.iodata.jp/support/information/2017/camera201702"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96620"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P88M-4JFJ-68FV
Vulnerability from github – Published: 2026-06-19 14:21 – Updated: 2026-06-19 14:21Impact
undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.
Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.
This was introduced in undici 7.0.0 via #3789.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.28.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-9679"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T14:21:30Z",
"nvd_published_at": "2026-06-17T18:18:06Z",
"severity": "MODERATE"
},
"details": "## Impact\n\nundici\u0027s cookie parser in `parseSetCookie` percent-decodes cookie values via `qsUnescape`, turning encoded sequences like `%0D%0A`, `%00`, `%3B`, and `%3D` into their literal byte equivalents. RFC 6265 \u00a75.4 does not specify any decoding and browsers do not decode either.\n\nApplications that parse a `Set-Cookie` header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary `Set-Cookie`, `Location`, or `Cache-Control` headers into the application\u0027s downstream response, enabling session fixation, open redirect, or cache poisoning.\n\nAffected applications are those that use undici\u0027s cookie parsing (`parseSetCookie`, `parseCookie`, `getSetCookies`) and forward the parsed cookie value into a response header.\n\nThis was introduced in undici 7.0.0 via [#3789](https://github.com/nodejs/undici/pull/3789).\n\n## Patches\n\nUpgrade to undici v6.27.0, v7.28.0 or v8.5.0.\n\n## Workarounds\n\nIf upgrade is not immediately possible, do not forward values returned by `parseSetCookie`/`parseCookie`/`getSetCookies` directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, `;`, and `=` bytes.",
"id": "GHSA-p88m-4jfj-68fv",
"modified": "2026-06-19T14:21:30Z",
"published": "2026-06-19T14:21:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9679"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "undici vulnerable to HTTP header injection via Set-Cookie percent-decoding"
}
GHSA-PM23-QJX3-GG3F
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2023-08-16 18:30A vulnerability in the Clientless SSL VPN (WebVPN) of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to inject arbitrary HTTP headers in the responses of the affected system. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to conduct a CRLF injection attack, adding arbitrary HTTP headers in the responses of the system and redirecting the user to arbitrary websites.
{
"affected": [],
"aliases": [
"CVE-2020-3561"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-21T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Clientless SSL VPN (WebVPN) of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to inject arbitrary HTTP headers in the responses of the affected system. The vulnerability is due to improper input sanitization. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to conduct a CRLF injection attack, adding arbitrary HTTP headers in the responses of the system and redirecting the user to arbitrary websites.",
"id": "GHSA-pm23-qjx3-gg3f",
"modified": "2023-08-16T18:30:19Z",
"published": "2022-05-24T17:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3561"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-crlf-inj-BX9uRwSn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PRJC-XC24-CV4P
Vulnerability from github – Published: 2025-11-18 18:32 – Updated: 2025-11-18 18:32An improper neutralization of crlf sequences ('crlf injection') in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link
{
"affected": [],
"aliases": [
"CVE-2025-54972"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T17:16:03Z",
"severity": "MODERATE"
},
"details": "An improper neutralization of crlf sequences (\u0027crlf injection\u0027) in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link",
"id": "GHSA-prjc-xc24-cv4p",
"modified": "2025-11-18T18:32:54Z",
"published": "2025-11-18T18:32:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54972"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-634"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PV9C-9MFH-HVXQ
Vulnerability from github – Published: 2026-03-24 19:13 – Updated: 2026-03-27 22:00Summary
.ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output.
Details
Icalendar::Values::Uri falls back to the raw input string when URI.parse fails and later serializes it with value.to_s without removing or escaping \r or \n characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this)
Relevant code:
- lib/icalendar/values/uri.rb:16
PoC
Run the following with the library loaded:
require "icalendar/value"
require "icalendar/values/uri"
v = Icalendar::Values::Uri.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com")
puts v.to_ical(Icalendar::Values::Text)
output:
;VALUE=URI:https://a.example/ok
ATTENDEE:mailto:evil@example.com
Impact
Applications that generate .ics files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields.
Fix
Reject raw CR and LF characters in URI-typed values before serialization, or escape/encode them so they cannot terminate the current ICS content line.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "icalendar"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.12.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33635"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:13:41Z",
"nvd_published_at": "2026-03-26T21:17:07Z",
"severity": "MODERATE"
},
"details": "### Summary\n.ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output.\n\n### Details\n`Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\\r` or `\\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this)\n\nRelevant code:\n- `lib/icalendar/values/uri.rb:16`\n\n### PoC\nRun the following with the library loaded:\n\n```ruby\nrequire \"icalendar/value\"\nrequire \"icalendar/values/uri\"\n\nv = Icalendar::Values::Uri.new(\"https://a.example/ok\\r\\nATTENDEE:mailto:evil@example.com\")\nputs v.to_ical(Icalendar::Values::Text)\n```\n\noutput:\n\n```text\n;VALUE=URI:https://a.example/ok\nATTENDEE:mailto:evil@example.com\n```\n\n### Impact\nApplications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields.\n\n## Fix\nReject raw CR and LF characters in `URI`-typed values before serialization, or escape/encode them so they cannot terminate the current ICS content line.",
"id": "GHSA-pv9c-9mfh-hvxq",
"modified": "2026-03-27T22:00:24Z",
"published": "2026-03-24T19:13:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33635"
},
{
"type": "WEB",
"url": "https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265"
},
{
"type": "PACKAGE",
"url": "https://github.com/icalendar/icalendar"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "iCalendar has ICS injection via unsanitized URI property values"
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.