Ritlabs TinyWeb Server Request crlf injection
Description
A security vulnerability has been detected in Ritlabs TinyWeb Server 1.94. This vulnerability affects unknown code of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.99 is able to resolve this issue. The identifier of the patch is d49c3da6a97e950975b18626878f3ee1f082358e. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.94
- Ritlabs/TinyWeb Serverv5Range: 1.94
Patches
Vulnerability mechanics
Root cause
"Missing sanitization of CRLF characters in the Location response header allows HTTP header injection."
Attack vector
An attacker sends a crafted HTTP request containing `%0D%0A` (URL-encoded CRLF) sequences in the input that eventually reaches the `Location` response header. Because the server does not strip or neutralize CRLF characters before inserting attacker-controlled data into the response header, the attacker can inject arbitrary HTTP headers or split the response body. The attack is performed remotely over the network with no authentication required.
Affected code
The vulnerability is in the `ReturnNewLocation` function within the TinyWeb server source code. The function directly assigns the `ALocation` parameter to `d.ResponseResponseHeader.Location` without sanitization [ref_id=1]. The patch introduces a new `StripCRLF` helper function and applies it to the `Location` header assignment to neutralize CRLF sequences [ref_id=1].
What the fix does
The patch adds a `StripCRLF` function that removes all carriage return (`#13`) and line feed (`#10`) characters from a string [ref_id=1]. This function is then called on the `ALocation` value before it is assigned to `d.ResponseResponseHeader.Location` in `ReturnNewLocation` [ref_id=1]. By stripping CRLF characters from the Location header value, the server prevents an attacker from injecting arbitrary headers or splitting the HTTP response, closing the CRLF injection vector.
Preconditions
- networkThe attacker must be able to send HTTP requests to the TinyWeb server on a reachable network port.
- inputThe attacker must supply input containing URL-encoded CRLF sequences (%0D%0A) that is reflected into the Location response header.
Reproduction
A public PoC is available at https://github.com/DMCERTCE/CRLF_Tiny. The repository provides exploit code that sends a crafted HTTP request with CRLF injection payloads to the TinyWeb server, demonstrating injection of arbitrary response headers.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/maximmasiutin/TinyWeb/commit/d49c3da6a97e950975b18626878f3ee1f082358emitrepatch
- github.com/maximmasiutin/TinyWeb/releases/tag/v1.99mitrepatch
- vuldb.commitrevdb-entrytechnical-descriptionmitigationpatch
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- www.masiutin.net/tinyweb-cve-2024-5193.htmlmitremitigation
News mentions
0No linked articles in our index yet.