VYPR

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

VariantIncomplete

Description

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-105 · CAPEC-31 · CAPEC-34 · CAPEC-85

CVEs mapped to this weakness (72)

page 1 of 4
  • CVE-2026-38967CriJun 2, 2026
    risk 0.57cvss 9.8epss 0.00

    CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.

  • CVE-2025-61689HigOct 10, 2025
    risk 0.57cvss epss 0.00

    HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting…

  • CVE-2025-53094HigJun 27, 2025
    risk 0.57cvss epss 0.00

    ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within…

  • CVE-2018-3911HigAug 23, 2018
    risk 0.56cvss 8.6epss 0.01

    An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process listens on port 39500 and relays any unauthenticated message to SmartThings' remote servers, which insecurely…

  • CVE-2016-8024HigMar 14, 2017
    risk 0.56cvss 8.1epss 0.09

    Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensitive information via the server HTTP response spoofing.

  • CVE-2026-34520CriApr 1, 2026
    risk 0.52cvss 9.1epss 0.00

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.

  • CVE-2025-53007HigJun 26, 2025
    risk 0.51cvss epss 0.00

    arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The `sendHeader` function takes arbitrary input for the HTTP header name and value, concatenates them into an HTTP header line, and…

  • CVE-2026-42578HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using…

  • CVE-2026-41683HigMay 8, 2026
    risk 0.49cvss 8.6epss 0.00

    i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through…

  • CVE-2026-9658HigMay 28, 2026
    risk 0.47cvss 7.3epss 0.00

    Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET…

  • CVE-2026-39971HigApr 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without validation, and the existing sanitization function…

  • CVE-2025-40927HigAug 29, 2025
    risk 0.47cvss 7.3epss 0.00

    CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain…

  • CVE-2015-1445HigAug 28, 2017
    risk 0.47cvss 7.2epss 0.02

    HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.

  • CVE-2025-52479HigJun 25, 2025
    risk 0.43cvss epss 0.00

    HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input…

  • CVE-2026-50630MedJun 12, 2026
    risk 0.42cvss 6.5epss 0.00

    A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm…

  • CVE-2026-42035HigApr 24, 2026
    risk 0.41cvss 7.4epss 0.00

    Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability…

  • CVE-2026-43870HigMay 5, 2026
    risk 0.40cvss 7.3epss 0.00

    Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue…

  • CVE-2018-16979MedSep 12, 2018
    risk 0.40cvss 6.1epss 0.03

    Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.

  • CVE-2018-1067MedMay 21, 2018
    risk 0.40cvss 6.1epss 0.02

    In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input…

  • CVE-2017-12308MedJan 18, 2018
    risk 0.40cvss 6.1epss 0.01

    A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack against a user of the web interface of an affected system. The vulnerability is due to insufficient…