CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Description
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-105 · CAPEC-31 · CAPEC-34 · CAPEC-85
CVEs mapped to this weakness (72)
page 1 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-38967 | Cri | 0.57 | 9.8 | 0.00 | Jun 2, 2026 | CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values. | ||
| CVE-2025-61689 | Hig | 0.57 | — | 0.00 | Oct 10, 2025 | HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting… | ||
| CVE-2025-53094 | — | Hig | 0.57 | — | 0.00 | Jun 27, 2025 | ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within… | |
| CVE-2018-3911 | Hig | 0.56 | 8.6 | 0.01 | Aug 23, 2018 | An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process listens on port 39500 and relays any unauthenticated message to SmartThings' remote servers, which insecurely… | ||
| CVE-2016-8024 | Hig | 0.56 | 8.1 | 0.09 | Mar 14, 2017 | Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensitive information via the server HTTP response spoofing. | ||
| CVE-2026-34520 | Cri | 0.52 | 9.1 | 0.00 | Apr 1, 2026 | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4. | ||
| CVE-2025-53007 | Hig | 0.51 | — | 0.00 | Jun 26, 2025 | arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The `sendHeader` function takes arbitrary input for the HTTP header name and value, concatenates them into an HTTP header line, and… | ||
| CVE-2026-42578 | Hig | 0.49 | 7.5 | 0.00 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using… | ||
| CVE-2026-41683 | — | Hig | 0.49 | 8.6 | 0.00 | May 8, 2026 | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through… | |
| CVE-2026-9658 | Hig | 0.47 | 7.3 | 0.00 | May 28, 2026 | Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET… | ||
| CVE-2026-39971 | — | Hig | 0.47 | 7.2 | 0.00 | Apr 15, 2026 | Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function… | |
| CVE-2025-40927 | Hig | 0.47 | 7.3 | 0.00 | Aug 29, 2025 | CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain… | ||
| CVE-2015-1445 | — | Hig | 0.47 | 7.2 | 0.02 | Aug 28, 2017 | HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30. | |
| CVE-2025-52479 | Hig | 0.43 | — | 0.00 | Jun 25, 2025 | HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input… | ||
| CVE-2026-50630 | Med | 0.42 | 6.5 | 0.00 | Jun 12, 2026 | A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm… | ||
| CVE-2026-42035 | Hig | 0.41 | 7.4 | 0.00 | Apr 24, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability… | ||
| CVE-2026-43870 | Hig | 0.40 | 7.3 | 0.00 | May 5, 2026 | Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue… | ||
| CVE-2018-16979 | Med | 0.40 | 6.1 | 0.03 | Sep 12, 2018 | Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943. | ||
| CVE-2018-1067 | — | Med | 0.40 | 6.1 | 0.02 | May 21, 2018 | In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input… | |
| CVE-2017-12308 | Med | 0.40 | 6.1 | 0.01 | Jan 18, 2018 | A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack against a user of the web interface of an affected system. The vulnerability is due to insufficient… |
- risk 0.57cvss 9.8epss 0.00
CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
- risk 0.57cvss —epss 0.00
HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting…
- risk 0.57cvss —epss 0.00
ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within…
- risk 0.56cvss 8.6epss 0.01
An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process listens on port 39500 and relays any unauthenticated message to SmartThings' remote servers, which insecurely…
- risk 0.56cvss 8.1epss 0.09
Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensitive information via the server HTTP response spoofing.
- risk 0.52cvss 9.1epss 0.00
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
- risk 0.51cvss —epss 0.00
arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The `sendHeader` function takes arbitrary input for the HTTP header name and value, concatenates them into an HTTP header line, and…
- risk 0.49cvss 7.5epss 0.00
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using…
- risk 0.49cvss 8.6epss 0.00
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through…
- risk 0.47cvss 7.3epss 0.00
Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET…
- risk 0.47cvss 7.2epss 0.00
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function…
- risk 0.47cvss 7.3epss 0.00
CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain…
- risk 0.47cvss 7.2epss 0.02
HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.
- risk 0.43cvss —epss 0.00
HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input…
- risk 0.42cvss 6.5epss 0.00
A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm…
- risk 0.41cvss 7.4epss 0.00
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability…
- risk 0.40cvss 7.3epss 0.00
Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue…
- risk 0.40cvss 6.1epss 0.03
Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.
- risk 0.40cvss 6.1epss 0.02
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input…
- risk 0.40cvss 6.1epss 0.01
A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack against a user of the web interface of an affected system. The vulnerability is due to insufficient…