VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 2, 2026

CVE-2026-38967

CVE-2026-38967

Description

CrowCpp Crow versions up to 1.3.1 are vulnerable to HTTP response header injection due to unvalidated CR/LF characters in header values.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CrowCpp Crow versions up to 1.3.1 are vulnerable to HTTP response header injection due to unvalidated CR/LF characters in header values.

Vulnerability

CrowCpp Crow versions up to and including v1.3.1 are vulnerable to HTTP response header injection. The vulnerability exists because the library directly places caller-supplied header values into the response header map via set_header or add_header and serializes them into raw HTTP header lines without filtering carriage return (CR) and line feed (LF) characters. This allows an attacker to inject arbitrary additional response header lines [2].

Exploitation

An attacker can exploit this vulnerability by providing untrusted input containing CR/LF characters into a response header value. For example, an application reflecting a user-controlled query parameter into a header like res.add_header("X-Echo", value) can be targeted. By sending a request with a crafted query parameter value such as %0d%0aInjected:%20yes, an attacker can cause the server to emit a second, attacker-controlled header line in the HTTP response [2].

Impact

Successful exploitation allows an attacker to inject arbitrary additional response header lines. Depending on the application's configuration and deployment, this can lead to cookie injection, cache poisoning, modification of security-relevant headers, or HTTP response splitting-style behavior. At minimum, it breaks the integrity of the HTTP response header section, allowing attacker-controlled data to be interpreted as protocol syntax [2].

Mitigation

A fix for this vulnerability was implemented in a pull request merged on March 27, 2026, and is included in subsequent versions of CrowCpp Crow. The fix involves sanitizing CR/LF characters in header values to prevent injection [1]. No specific fixed version number is mentioned, but it is implied to be after v1.3.1. There are no workarounds mentioned other than applying the patch.

References
  1. [Security] Prevent HTTP Response Header Injection by sanitizing CR/LF characters by notfresh · Pull Request #1167 · CrowCpp/Crow
  2. [BUG] HTTP response header injection via unvalidated response header values

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
0e9aa2e5bdb6

fix#1165: sanitize header values to prevent injection and add helloworld_inject example (#1167)

https://github.com/CrowCpp/Crow张三思Mar 27, 2026via nvd-ref
commitPR #1167
4 files changed · +36 0
  • examples/CMakeLists.txt+4 0 modified
    @@ -7,6 +7,10 @@ add_executable(helloworld helloworld.cpp)
 add_warnings_optimizations(helloworld)
 target_link_libraries(helloworld PUBLIC Crow::Crow)
 
+add_executable(helloworld_inject helloworld_inject.cpp)
+add_warnings_optimizations(helloworld_inject)
+target_link_libraries(helloworld_inject PUBLIC Crow::Crow)
+
 # If compression is enabled, the example will be built
 if("compression" IN_LIST CROW_FEATURES)
   add_executable(example_compression example_compression.cpp)
  • examples/helloworld_inject.cpp+16 0 added
    @@ -0,0 +1,16 @@
+#include "crow.h"
+
+int main()
+{
+    crow::SimpleApp app;
+
+    CROW_ROUTE(app, "/")
+    ([](const crow::request &req, crow::response& res) {
+        res.write("Hello, world!");
+        res.set_header("X-Custom", "safe\r\nInjected: yes");
+        res.end();
+        //return "Hello, world!";
+    });
+
+    app.port(18080).run();
+}
  • include/crow/http_request.h+12 0 modified
    @@ -9,6 +9,8 @@
 #include <asio.hpp>
 #endif
 
+#include <algorithm>
+
 #include "crow/common.h"
 #include "crow/ci_map.h"
 #include "crow/query_string.h"
@@ -19,6 +21,14 @@ namespace crow // NOTE: Already documented in "crow/app.h"
     namespace asio = boost::asio;
 #endif
 
+    /// Remove CR (\r) and LF (\n) characters from a header name or value to prevent header injection.
+    inline void sanitize_header_value(std::string& s)
+    {
+        s.erase(std::remove_if(s.begin(), s.end(),
+                               [](char c) { return c == '\r' || c == '\n'; }),
+                s.end());
+    }
+
     /// Find and return the value associated with the key. (returns an empty string if nothing is found)
     inline const std::string& get_header_value(const ci_map& headers, const std::string& key)
     {
@@ -63,6 +73,8 @@ namespace crow // NOTE: Already documented in "crow/app.h"
 
         void add_header(std::string key, std::string value)
         {
+            sanitize_header_value(key);
+            sanitize_header_value(value);
             headers.emplace(std::move(key), std::move(value));
         }
  • include/crow/http_response.h+4 0 modified
    @@ -59,13 +59,17 @@ namespace crow
         /// Set the value of an existing header in the response.
         void set_header(std::string key, std::string value)
         {
+            sanitize_header_value(key);
+            sanitize_header_value(value);
             headers.erase(key);
             headers.emplace(std::move(key), std::move(value));
         }
 
         /// Add a new header to the response.
         void add_header(std::string key, std::string value)
         {
+            sanitize_header_value(key);
+            sanitize_header_value(value);
             headers.emplace(std::move(key), std::move(value));
         }

Vulnerability mechanics

Root cause

"The application does not sanitize newline characters in HTTP response header values."

Attack vector

An attacker can inject arbitrary HTTP headers by providing values containing newline characters (`\r\n`) to the application. These characters are not validated before being added to the response headers. This allows an attacker to split a single header into multiple lines, effectively injecting new headers into the response. The `helloworld_inject` example demonstrates how to set a custom header with injected content [ref_id=1].

Affected code

The vulnerability lies in the `add_header` and `set_header` methods within `include/crow/http_request.h` and `include/crow/http_response.h`. These methods previously accepted and added header values without sanitizing them for newline characters.

What the fix does

The patch introduces a `sanitize_header_value` function that removes carriage return (`\r`) and newline (`\n`) characters from both header keys and values [patch_id=4524241]. This function is called within `add_header` and `set_header` methods in `http_request.h` and `http_response.h`. By removing these characters, the injection of additional headers via newline characters is prevented.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.