Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)) — Vulnerability Class 89

89 vulnerabilities classified as CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)). AI Chinese analysis included.

CWE-93 represents a critical input validation weakness where applications fail to properly sanitize Carriage Return and Line Feed characters within user-supplied data. This vulnerability typically enables attackers to inject malicious HTTP headers or split response lines, facilitating attacks such as HTTP response splitting, session fixation, or cross-site scripting. By manipulating these control characters, adversaries can alter the structure of web responses, potentially redirecting users to phishing sites or injecting malicious scripts into the browser context. To mitigate this risk, developers must rigorously validate and sanitize all input fields, specifically filtering out or encoding CRLF sequences before processing. Implementing strict allow-lists for acceptable characters and utilizing framework-provided encoding functions ensures that these control characters are neutralized, thereby preserving the integrity of HTTP headers and preventing unauthorized manipulation of application logic.

MITRE CWE Description
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Common Consequences (1)
IntegrityModify Application Data
Mitigations (2)
ImplementationAvoid using CRLF as a special sequence.
ImplementationAppropriately filter or quote CRLF sequences in user-controlled input.
Examples (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment …
name: Deploy Preview jobs: deploy: runs-on: ubuntu-latest steps: - name: 'Download artifact' uses: actions/github-script with: script: | var artifacts = await github.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{ github.event.workflow_run.id }}, }); var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var downloadPr = await github.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchPrArtifact.id, archive_format: 'zip', }); var fs = require('fs');
Bad · Other
\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2024-48868 QTS, QuTS hero — QTS 5.3 -2024-12-06
CVE-2024-48867 QTS, QuTS hero — QTS 5.3 -2024-12-06
CVE-2024-51501 CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes — refit 6.5AIMediumAI2024-11-04
CVE-2024-7472 Email Injection Vulnerability in lunary-ai/lunary — lunary-ai/lunary 5.3AIMediumAI2024-10-29
CVE-2024-45597 Pluto's http.request allows CR and LF in header values — Pluto 5.3 Medium2024-09-10
CVE-2024-45302 CRLF Injection in RestSharp's `RestRequest.AddHeader` method — RestSharp 6.1 Medium2024-08-29
CVE-2024-5193 Ritlabs TinyWeb Server Request crlf injection — TinyWeb Server 5.3 Medium2024-05-22
CVE-2024-1226 Multiple vulnerabilities in Rejetto's Http File Server — Http File Server 7.5 High2024-03-12
CVE-2024-20337 Cisco Secure Client 安全漏洞 — Cisco Secure Client 8.2 High2024-03-06
CVE-2023-49082 aiohttp's ClientSession is vulnerable to CRLF injection via method — aiohttp 5.3 Medium2023-11-29
CVE-2023-4768 Improper Neutralization of CRLF Sequences in ManageEngine Desktop Central — Desktop Central 6.1 Medium2023-11-03
CVE-2023-4767 Improper Neutralization of CRLF Sequences in ManageEngine Desktop Central — Desktop Central 6.1 Medium2023-11-03
CVE-2023-26148 libhv 注入漏洞 — ithewei/libhv 5.4 Medium2023-09-29
CVE-2023-26138 Drogon 注入漏洞 — drogonframework/drogon 5.4 Medium2023-07-06
CVE-2023-26130 cpp-httplib 注入漏洞 — yhirose/cpp-httplib 7.5 High2023-05-30
CVE-2023-23936 CRLF Injection in Nodejs ‘undici’ via host — undici 6.5 Medium2023-02-16
CVE-2023-0040 Async 注入漏洞 — Async HTTP Client 7.5 -2023-01-18
CVE-2022-35948 CRLF Injection in Nodejs ‘undici’ via Content-Type — undici 5.3 Medium2022-08-13
CVE-2022-31150 CRLF injection in request headers — undici 5.3 Medium2022-07-19
CVE-2022-0666 CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in microweber/microweber — microweber/microweber 6.5 -2022-02-18
CVE-2021-4097 CRLF Injection in phpservermon/phpservermon — phpservermon/phpservermon 5.4 -2021-12-11
CVE-2021-39172 New line injection during configuration edition — Cachet 8.8 High2021-08-27
CVE-2021-31164 Apache Unomi log injection — Apache Unomi 9.1 -2021-05-04
CVE-2020-3561 Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software WebVPN CRLF Injection Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 6.1 -2020-10-21
CVE-2020-11078 CRLF injection in httplib2 — httplib2 6.8 Medium2020-05-20
CVE-2020-3246 Cisco Umbrella Carriage Return Line Feed Injection Vulnerability — Cisco Umbrella 4.3 -2020-05-06
CVE-2019-15616 Nextcloud Server 注入漏洞 — Nextcloud Server 6.5 -2020-02-04
CVE-2018-12477 obs-service-refresh_patches can be tricked into deleting '..' or other unrelated directories — Open Build Service 6.5 -2018-10-09
CVE-2018-12537 Eclipse Vert.x 安全漏洞 — Eclipse Vert.x 5.3 -2018-08-14

Vulnerabilities classified as CWE-93 (对CRLF序列的转义处理不恰当(CRLF注入)) represent 89 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.