Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)) — Vulnerability Class 89

89 vulnerabilities classified as CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)). AI Chinese analysis included.

CWE-93 represents a critical input validation weakness where applications fail to properly sanitize Carriage Return and Line Feed characters within user-supplied data. This vulnerability typically enables attackers to inject malicious HTTP headers or split response lines, facilitating attacks such as HTTP response splitting, session fixation, or cross-site scripting. By manipulating these control characters, adversaries can alter the structure of web responses, potentially redirecting users to phishing sites or injecting malicious scripts into the browser context. To mitigate this risk, developers must rigorously validate and sanitize all input fields, specifically filtering out or encoding CRLF sequences before processing. Implementing strict allow-lists for acceptable characters and utilizing framework-provided encoding functions ensures that these control characters are neutralized, thereby preserving the integrity of HTTP headers and preventing unauthorized manipulation of application logic.

MITRE CWE Description
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Common Consequences (1)
IntegrityModify Application Data
Mitigations (2)
ImplementationAvoid using CRLF as a special sequence.
ImplementationAppropriately filter or quote CRLF sequences in user-controlled input.
Examples (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment …
name: Deploy Preview jobs: deploy: runs-on: ubuntu-latest steps: - name: 'Download artifact' uses: actions/github-script with: script: | var artifacts = await github.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{ github.event.workflow_run.id }}, }); var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var downloadPr = await github.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchPrArtifact.id, archive_format: 'zip', }); var fs = require('fs');
Bad · Other
\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2026-1714 ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action — ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin 8.6 High2026-02-18
CVE-2026-1536 Libsoup: libsoup: http header injection or response splitting via crlf injection in content-disposition header — Red Hat Enterprise Linux 10 5.8 Medium2026-01-28
CVE-2026-1467 Libsoup: libsoup: http header injection via specially crafted urls when an http proxy is configured — Red Hat Enterprise Linux 10 5.8 Medium2026-01-27
CVE-2026-24489 Gakido vulnerable to HTTP Header Injection (CRLF Injection) — gakido 5.3 Medium2026-01-27
CVE-2026-1299 email BytesGenerator header injection due to unquoted newlines — CPython 4.3 -2026-01-23
CVE-2026-23953 Incus container environment configuration newline injection — incus 8.7 High2026-01-22
CVE-2026-0672 Header injection in http.cookies.Morsel — CPython 4.3AIMediumAI2026-01-20
CVE-2025-15282 Header injection via newlines in data URL mediatype — CPython 5.3AIMediumAI2026-01-20
CVE-2026-23829 Mailpit has SMTP Header Injection via Regex Bypass — mailpit 5.3 Medium2026-01-18
CVE-2026-22777 ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler — ComfyUI-Manager 7.5 High2026-01-10
CVE-2026-21428 cpp-httplib has CRLF injection in http headers — cpp-httplib 9.1 -2026-01-01
CVE-2022-50682 Kentico Xperience <= 13.0.79 Routing Engine CRLF Injection — Xperience 6.5 Medium2025-12-18
CVE-2025-67735 Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder — netty 6.5 Medium2025-12-16
CVE-2025-14531 code-projects Rental Management System Log Transaction.java crlf injection — Rental Management System 4.3 Medium2025-12-11
CVE-2025-54972 Fortinet FortiMail 注入漏洞 — FortiMail 3.9 Medium2025-11-18
CVE-2025-59151 Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection — web 8.2 High2025-10-27
CVE-2025-59419 Netty netty-codec-smtp SMTP Command Injection Vulnerability Allowing Email Forgery — netty 9.8 -2025-10-15
CVE-2025-57804 h2 allows HTTP Request Smuggling due to illegal characters in headers — h2 7.5AIHighAI2025-08-25
CVE-2025-8715 PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server — PostgreSQL 8.8 High2025-08-14
CVE-2025-8419 Org.keycloak/keycloak-services: keycloak smtp inject vulnerability — keycloak 5.3 Medium2025-08-06
CVE-2025-41376 CRLF Injection in Limesurvey — LimeSurvey 8.8 -2025-08-01
CVE-2025-6175 CRLF Injection in DECE Software's Geodi — Geodi 7.2 High2025-07-29
CVE-2025-0293 Ivanti Connect Secure和Ivanti Policy Secure 注入漏洞 — Connect Secure 6.6 Medium2025-07-08
CVE-2025-53094 ESPAsyncWebServer Vulnerable to CRLF Injection in AsyncWebHeader.cpp — ESPAsyncWebServer 5.8AIMediumAI2025-06-27
CVE-2025-52479 HTTP.jl vulnerable to CR/LF Injection in URIs — HTTP.jl 5.4AIMediumAI2025-06-25
CVE-2025-40671 SQL injection vulnerability in AES Multimedia's Gestnet — Gestnet 9.8AICriticalAI2025-05-26
CVE-2024-53693 QTS, QuTS hero — QTS 4.3 -2025-03-07
CVE-2024-50405 QTS, QuTS hero — QTS 2.7 -2025-03-07
CVE-2025-27111 Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection — rack 5.3 -2025-03-04
CVE-2025-25184 Possible Log Injection in Rack::CommonLogger — rack 4.3 -2025-02-12

Vulnerabilities classified as CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)) represent 89 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.