Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-113 (HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)) — Vulnerability Class 55

55 vulnerabilities classified as CWE-113 (HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)). AI Chinese analysis included.

CWE-113 represents a critical input validation weakness where software fails to properly sanitize carriage return and line feed characters within user-supplied data before embedding it into HTTP headers. Attackers typically exploit this vulnerability by injecting malicious CRLF sequences, effectively splitting the HTTP response to inject arbitrary headers or body content. This technique, known as HTTP Response Splitting, can facilitate session hijacking, cross-site scripting, or cache poisoning attacks by manipulating downstream proxies or browsers. To mitigate this risk, developers must rigorously validate and neutralize all incoming data, specifically filtering out or encoding CR and LF characters before they are processed for header construction. Implementing strict input validation libraries and adhering to secure coding standards ensures that untrusted data cannot alter the structure of HTTP messages, thereby preserving the integrity of the communication channel and preventing malicious header injection.

MITRE CWE Description
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. HTTP agents or components may include a web server, load balancer, reverse proxy, web caching proxy, application firewall, web browser, etc. Regardless of the role, they are expected to maintain coherent, consistent HTTP communication state across all components. However, including unexpected data in an HTTP header allows an attacker to specify the entirety of the HTTP message that is rendered by the client HTTP agent (e.g., web browser) or back-end HTTP agent (e.g., web server), whether the message is part of a request or a response. When an HTTP request contains unexpected CR and LF characters, the server may respond with an output stream that is interpreted as "splitting" the stream into two different HTTP messages instead of one. CR is carriage return, also given by %0d or \r, and LF is line feed, also given by %0a or \n. In addition to CR and LF characters, other valid/RFC compliant special characters and unique character encodings can be utilized, such as HT (horizontal tab, also given by %09 or \t) and SP (space, also given as + sign or %20). These types of unvalidated and unexpected data in HTTP message headers allow an attacker to control the second "split" message to mount attacks such as server-side request forgery, cross-site scripting, and …
Common Consequences (1)
Integrity, Access ControlModify Application Data, Gain Privileges or Assume Identity
CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the message that the application intends to send/receive, as well as allowing them to create additional messages entirely under their control.
Mitigations (4)
ImplementationConstruct HTTP headers very carefully, avoiding the use of non-validated input data.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms. When performing input validation, consider all potentially relevant properties, including length, type of input, the full r…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
An attacker can make a single request to a vulnerable server that will cause the server to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server.
CVE IDTitleCVSSSeverityPublished
CVE-2026-42035 Axios: Header Injection via Prototype Pollution — axios 7.4 High2026-04-24
CVE-2026-39971 Serendipity: Host Header Injection leads to SMTP header injection via unvalidated HTTP_HOST — Serendipity 7.2 High2026-04-14
CVE-2026-40175 Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain — axios 4.8 Medium2026-04-10
CVE-2026-34715 ewe Has Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting) — ewe 5.3 Medium2026-04-02
CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass — aiohttp 9.1 -2026-04-01
CVE-2026-34519 AIOHTTP: HTTP response splitting via \r in reason phrase — aiohttp 6.5 -2026-04-01
CVE-2026-34514 AIOHTTP: CRLF injection in multipart part content type header construction — aiohttp 6.5 -2026-04-01
CVE-2025-55271 HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability — Aftermarket DPC 3.1 Low2026-03-26
CVE-2026-27810 calibre Vulnerable to HTTP Response Header Injection — calibre 6.4 Medium2026-02-27
CVE-2026-24320 Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) — SAP NetWeaver and ABAP Platform (Application Server ABAP) 3.1 Low2026-02-10
CVE-2026-23686 CRLF Injection vulnerability in SAP NetWeaver Application Server Java — SAP NetWeaver Application Server Java 3.4 Low2026-02-10
CVE-2026-22779 BlackSheep ClientSession is vulnerable to CRLF injection — BlackSheep 4.3AIMediumAI2026-01-14
CVE-2025-61689 HTTP.jl vulnerable to Header injection/Response splitting via header construction. — HTTP.jl 6.3AIMediumAI2025-10-10
CVE-2025-40927 CGI::Simple versions 1.281 and earlier for Perl has a HTTP response splitting flaw — CGI::Simple 6.1 -2025-08-29
CVE-2025-42934 CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice) — SAP S/4HANA (Supplier invoice) 4.3 Medium2025-08-12
CVE-2025-53007 arduino-esp32 vulnerable to CRLF injection in WebServer.cpp — arduino-esp32 7.5AIHighAI2025-06-26
CVE-2025-41234 RFD Attack via “Content-Disposition” Header Sourced from Request — Spring Framework 6.5 Medium2025-06-12
CVE-2025-30221 Pitchfork HTTP Request/Response Splitting vulnerability — pitchfork 5.4AIMediumAI2025-03-27
CVE-2025-0825 CRLF injection in Cpp-httplib 6.1 -2025-02-04
CVE-2024-52875 GFI Kerio Control 安全漏洞 — Kerio Control 8.8 High2025-01-31
CVE-2024-45687 HTTP Server incorrectly accepting disallowed characters within header values — Payara Server 6.5 -2025-01-21
CVE-2024-54021 Fortinet FortiOS和Fortinet FortiProxy 注入漏洞 — FortiOS 6.4 Medium2025-01-14
CVE-2024-42487 Cilium's Gateway API route matching order contradicts specification — cilium 4.0 Medium2024-08-15
CVE-2024-20392 Cisco AsyncOS 安全漏洞 — Cisco Secure Email 6.1 Medium2024-05-15
CVE-2024-24795 Apache HTTP Server: HTTP Response Splitting in multiple modules — Apache HTTP Server 9.1 -2024-04-04
CVE-2024-23644 trillium-http and trillium-client vulnerable to HTTP Request/Response Splitting — trillium 6.8 Medium2024-01-24
CVE-2023-48256 Bosch Nexo cordless nutrunner 安全漏洞 — Nexo cordless nutrunner NXA015S-36V (0608842001) 5.3 Medium2024-01-10
CVE-2023-26147 libhv 跨站脚本漏洞 — ithewei/libhv 5.3 Medium2023-09-29
CVE-2023-41834 Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences — Apache Flink Stateful Functions 5.4 -2023-09-19
CVE-2023-26142 Crow 注入漏洞 — Crow 6.5 Medium2023-09-12

Vulnerabilities classified as CWE-113 (HTTP头部中CRLF序列转义处理不恰当(HTTP响应分割)) represent 55 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.