HTTP Response Splitting

Vulnerability

CVE-2020-7695 is an HTTP response splitting vulnerability in Uvicorn, an ASGI web server for Python. The root cause is that prior to version 0.11.7, CRLF sequences (\r\n) are not properly escaped in the values of HTTP headers when using the httptools parser [1][4]. This enables an attacker to inject arbitrary headers or even an entire HTTP response body into the server's response by providing crafted input in header values.

Exploitation

The attack surface is any endpoint that reflects user-controlled input in HTTP response headers. For example, if the application uses the request path as part of a header (e.g., Referer or a custom header), an attacker can send a GET request with a URL containing URL-encoded CRLF sequences, such as %0d%0a. The server then outputs these sequences, effectively allowing the attacker to terminate the current response and start a new one [4]. No authentication is required as the vector is purely request-based.

Impact

A successful exploit allows the attacker to control subsequent HTTP responses, potentially leading to cache poisoning, cross-site scripting (XSS), or content injection. The attacker can add arbitrary headers (e.g., Set-Cookie) or return a malicious response body, compromising users who interact with the poisoned response [1][2]. The vulnerability has a CVSS v3.1 score of 6.1 (Medium).

Mitigation

The vulnerability is fixed in Uvicorn version 0.11.7. Users should upgrade to this version or later [3][4]. There is no known workaround for older versions other than avoiding user input in header values. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.