VYPR

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

VariantIncomplete

Description

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-105 · CAPEC-31 · CAPEC-34 · CAPEC-85

CVEs mapped to this weakness (72)

page 2 of 4
  • CVE-2017-1262MedDec 20, 2017
    risk 0.40cvss 6.1epss 0.01

    IBM Security Guardium 10.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further…

  • CVE-2017-7443MedApr 5, 2017
    risk 0.40cvss 6.1epss 0.01

    apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP response splitting via encoded newline characters, related to lack of blocking for the %0[ad] regular expression.

  • CVE-2016-5325MedOct 10, 2016
    risk 0.40cvss 6.1epss 0.04

    CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the…

  • CVE-2016-6839MedSep 7, 2016
    risk 0.40cvss 6.1epss 0.01

    CRLF injection vulnerability in Huawei FusionAccess before V100R006C00 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

  • CVE-2016-5699MedSep 2, 2016
    risk 0.40cvss 6.1epss 0.10

    CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL.

  • CVE-2016-3166MedApr 12, 2016
    risk 0.38cvss 5.9epss 0.01

    CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data…

  • CVE-2026-7010MedMay 11, 2026
    risk 0.35cvss 6.5epss 0.00

    HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An…

  • CVE-2025-41234MedJun 12, 2025
    risk 0.35cvss 6.5epss 0.01

    Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from…

  • CVE-2017-17742MedApr 3, 2018
    risk 0.35cvss 5.3epss 0.06

    Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.

  • CVE-2017-12309MedNov 16, 2017
    risk 0.35cvss 5.3epss 0.02

    A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response splitting attack. The vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker…

  • CVE-2026-43966MedJun 8, 2026
    risk 0.34cvss epss 0.00

    Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and…

  • CVE-2017-7528MedAug 22, 2018
    risk 0.34cvss 5.2epss 0.01

    Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).

  • CVE-2016-4993MedSep 26, 2016
    risk 0.33cvss 6.1epss 0.03

    CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified…

  • CVE-2016-0789MedApr 7, 2016
    risk 0.33cvss 6.1epss 0.02

    CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

  • CVE-2026-44214MedMay 26, 2026
    risk 0.31cvss 5.8epss 0.00

    eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject…

  • CVE-2026-34767MedApr 4, 2026
    risk 0.31cvss 5.9epss 0.00

    Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify…

  • CVE-2025-42934MedAug 12, 2025
    risk 0.28cvss 4.3epss 0.00

    SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has…

  • CVE-2026-49214MedJun 11, 2026
    risk 0.27cvss 5.3epss 0.00

    guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the…

  • CVE-2026-38978MedJun 2, 2026
    risk 0.27cvss 5.3epss 0.00

    transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths.

  • CVE-2026-34715MedApr 2, 2026
    risk 0.27cvss 5.3epss 0.00

    ewe is a Gleam web server. Prior to version 3.0.6, the encode_headers function in src/ewe/internal/encoder.gleam directly interpolates response header keys and values into raw HTTP bytes without validating or stripping CRLF (\r\n) sequences. An application that passes…