VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 24, 2020· Updated Aug 4, 2024

CVE-2020-35669

CVE-2020-35669

Description

CRLF injection vulnerability in Dart http package through 0.12.2 allows HTTP request smuggling when attacker controls the HTTP method.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CRLF injection vulnerability in Dart http package through 0.12.2 allows HTTP request smuggling when attacker controls the HTTP method.

Vulnerability

Details

The Dart http package (package:http) versions up to and including 0.12.2 did not validate the HTTP method string passed to the Request constructor. An attacker who can control the method parameter can inject CRLF sequences (e.g., \r\n) to add arbitrary headers or body content to the outgoing HTTP request. This is a classic CRLF injection flaw that stems from insufficient input sanitization in the BaseRequest class [1][3].

Exploitation

Exploitation requires the application to use the Request class directly and pass an attacker-controlled method string. No authentication is needed if the method is user-supplied. The attacker can craft a method like "GET\r\nX-Injected: true" to inject headers. The vulnerability exists because the BaseRequest constructor did not sanitize the method parameter before using it in the HTTP request line [3].

Impact

Successful exploitation allows an attacker to inject arbitrary HTTP headers or body content into the outgoing request. This can lead to request smuggling, cache poisoning, or bypassing security controls. The injected content may be interpreted by the server as part of a new request, enabling cross-site request forgery or other attacks [1].

Mitigation

The issue was fixed in version 0.13.3 of the http package. The fix adds validation of the method parameter against a regex for valid tokens (per RFC 7230). The commit [3] shows the addition of _validateMethod that throws an ArgumentError for invalid methods. Users should upgrade to 0.13.3 or later. The changelog [2] confirms the fix in this release.

References
  1. NVD - CVE-2020-35669
  2. http changelog | Dart package
  3. Validate request methods against a regex (#512) · dart-lang/http@abb2bb1

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
httpPub
< 0.13.30.13.3

Affected products

2

Patches

1
abb2bb182fbd

Validate request methods against a regex (#512)

https://github.com/dart-lang/httpMarcin NiemiraApr 30, 2021via ghsa
commit
4 files changed · +25 2
  • CHANGELOG.md+2 0 modified
    @@ -1,5 +1,7 @@
 ## 0.13.3-dev
 
+* Validate that the `method` parameter of BaseRequest is a valid "token".
+
 ## 0.13.2
 
 * Add `package:http/retry.dart` with `RetryClient`. This is the same
  • lib/src/base_request.dart+11 2 modified
    @@ -88,8 +88,17 @@ abstract class BaseRequest {
   bool get finalized => _finalized;
   bool _finalized = false;
 
-  BaseRequest(this.method, this.url)
-      : headers = LinkedHashMap(
+  static final _tokenRE = RegExp(r"^[\w!#%&'*+\-.^`|~]+$");
+  static String _validateMethod(String method) {
+    if (!_tokenRE.hasMatch(method)) {
+      throw ArgumentError.value(method, 'method', 'Not a valid method');
+    }
+    return method;
+  }
+
+  BaseRequest(String method, this.url)
+      : method = _validateMethod(method),
+        headers = LinkedHashMap(
             equals: (key1, key2) => key1.toLowerCase() == key2.toLowerCase(),
             hashCode: (key) => key.toLowerCase().hashCode);
  • test/request_test.dart+6 0 modified
    @@ -334,4 +334,10 @@ void main() {
       expect(request.toString(), 'POST $dummyUrl');
     });
   });
+
+  group('#method', () {
+    test('must be a token', () {
+      expect(() => http.Request('LLAMA[0]', dummyUrl), throwsArgumentError);
+    });
+  });
 }
  • test/streamed_request_test.dart+6 0 modified
    @@ -24,4 +24,10 @@ void main() {
       expect(() => request.contentLength = 10, throwsStateError);
     });
   });
+  group('#method', () {
+    test('must be a token', () {
+      expect(() => http.StreamedRequest('SUPER LLAMA', dummyUrl),
+          throwsArgumentError);
+    });
+  });
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.