CVE-2023-26142

Vulnerability

The Crow C++ microframework (all versions before 1.3.2) is vulnerable to HTTP Response Splitting due to improper neutralization of CRLF sequences in the set_header and add_header functions in http_response.h. When untrusted user input is used to build header values, an attacker can inject \r\n (carriage return line feed) characters to terminate the HTTP response headers and inject arbitrary content. This affects all versions up to but not including 1.3.2. [1][2]

Exploitation

An attacker needs only network access to the server and control over a header value derived from user input (e.g., a query parameter). The proof-of-concept demonstrates sending a request with %0d%0a (URL-encoded CRLF) in the q parameter, which is used to set a custom header. The injected CRLF allows the attacker to add arbitrary headers, set cookies, or inject a new response body. No authentication or special privileges are required. [1]

Impact

Successful exploitation results in HTTP Response Splitting, enabling the attacker to inject additional headers or response body. This can lead to cross-site scripting (XSS) if the response is rendered in a browser, as well as cache poisoning, session fixation, or other attacks that rely on controlling HTTP response content. The attacker can effectively manipulate the entire response. [1][2]

Mitigation

Upgrade to Crow version 1.3.2 or higher, which contains the fix for this vulnerability. The patched version was released on 2023-09-11 per the Snyk advisory. No workaround is documented; users should update immediately. [2]