CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Description
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-15 · CAPEC-81
CVEs mapped to this weakness (143)
page 4 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-5331 | Med | 0.40 | 6.1 | 0.02 | Aug 8, 2016 | CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | ||
| CVE-2026-1299 | Med | 0.39 | — | 0.01 | Jan 23, 2026 | The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that… | ||
| CVE-2026-55603 | hig | 0.38 | — | 0.00 | Jun 18, 2026 | ## Summary `fixRequestBody()` is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the **outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the body with `handlerFormDataBodyData()`, which interpolates… | ||
| CVE-2025-57804 | Med | 0.38 | — | 0.02 | Aug 25, 2025 | h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to… | ||
| CVE-2026-35504 | Med | 0.36 | 5.5 | 0.00 | May 12, 2026 | PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication. | ||
| CVE-2026-44217 | Med | 0.36 | — | 0.00 | May 12, 2026 | sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject… | ||
| CVE-2026-2717 | Med | 0.36 | 5.5 | 0.00 | Apr 22, 2026 | The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This… | ||
| CVE-2026-46719 | Med | 0.35 | 6.5 | 0.00 | May 16, 2026 | Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. | ||
| CVE-2024-51981 | Med | 0.35 | 5.3 | 0.01 | Jun 25, 2025 | An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The… | ||
| CVE-2016-9964 | Med | 0.35 | 6.5 | 0.02 | Dec 16, 2016 | redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call. | ||
| CVE-2026-50629 | Med | 0.34 | 5.3 | 0.00 | Jun 12, 2026 | The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are… | ||
| CVE-2026-41417 | Med | 0.34 | 5.3 | 0.00 | May 6, 2026 | Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does… | ||
| CVE-2017-7528 | Med | 0.34 | 5.2 | 0.01 | Aug 22, 2018 | Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback). | ||
| CVE-2026-3848 | Med | 0.33 | 5.0 | 0.00 | Mar 11, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to… | ||
| CVE-2015-9097 | Med | 0.33 | 6.1 | 0.03 | Jun 12, 2017 | The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. | ||
| CVE-2015-9096 | Med | 0.33 | 6.1 | 0.04 | Jun 12, 2017 | Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. | ||
| CVE-2016-4993 | Med | 0.33 | 6.1 | 0.03 | Sep 26, 2016 | CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified… | ||
| CVE-2026-0672 | Med | 0.32 | — | 0.00 | Jan 20, 2026 | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | ||
| CVE-2025-15282 | Med | 0.32 | — | 0.00 | Jan 20, 2026 | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | ||
| CVE-2014-9563 | Med | 0.32 | 4.9 | 0.01 | Apr 12, 2018 | CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the… |
- risk 0.40cvss 6.1epss 0.02
CRLF injection vulnerability in VMware vCenter Server 6.0 before U2 and ESXi 6.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
- risk 0.39cvss —epss 0.01
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that…
- risk 0.38cvss —epss 0.00
## Summary `fixRequestBody()` is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the **outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the body with `handlerFormDataBodyData()`, which interpolates…
- risk 0.38cvss —epss 0.02
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to…
- risk 0.36cvss 5.5epss 0.00
PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.
- risk 0.36cvss —epss 0.00
sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject…
- risk 0.36cvss 5.5epss 0.00
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This…
- risk 0.35cvss 6.5epss 0.00
Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics.
- risk 0.35cvss 5.3epss 0.01
An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The…
- risk 0.35cvss 6.5epss 0.02
redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
- risk 0.34cvss 5.3epss 0.00
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are…
- risk 0.34cvss 5.3epss 0.00
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does…
- risk 0.34cvss 5.2epss 0.01
Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).
- risk 0.33cvss 5.0epss 0.00
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to…
- risk 0.33cvss 6.1epss 0.03
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
- risk 0.33cvss 6.1epss 0.04
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
- risk 0.33cvss 6.1epss 0.03
CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified…
- risk 0.32cvss —epss 0.00
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
- risk 0.32cvss —epss 0.00
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
- risk 0.32cvss 4.9epss 0.01
CRLF injection vulnerability in the web-based management (WBM) interface in Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 devices before R3.32.0 allows remote authenticated users to modify the root password and consequently access the debug port using the…