CVE-2023-52066
Description
http.zig commit 76cf5 was discovered to contain a CRLF injection vulnerability via the url parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
http.zig commit 76cf5 contains a CRLF injection vulnerability in the url parameter, allowing header injection.
The vulnerability exists in the http.zig library (commit 76cf5) where the URL parameter is used directly in response headers without sanitization. Specifically, the res.header("example", value); call in the /param/:value route does not filter out CRLF sequences, enabling header injection attacks.
An attacker can exploit this by sending a crafted HTTP request to the vulnerable endpoint. The PoC demonstrates using a parameter value like a\r\nexample:b\r\ninjected:test to inject arbitrary headers into the response. No authentication is required; the attack is performed over the network by simply sending a malicious HTTP request.
Successful exploitation allows an attacker to inject arbitrary HTTP headers, overwrite existing headers, or perform HTTP response splitting. This can lead to cache poisoning, cross-site scripting, or session fixation attacks, depending on how the affected server processes the injected headers.
The issue was reported via the project's GitHub issue tracker [1]. Users are advised to update the http.zig library to a patched version once available. As of this report, the maintainer has been notified.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.