CWE-113 103 個 CVE MITRE 定義 ↗

CWE-113:Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

概覽

CWE-113(Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'))描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Web Based Undetermined
technology Web Server Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2025-62826 2026-07-14 An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability [CWE-113] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4 all versions, FortiO…
CVE-2025-62675 2026-07-14 An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability [CWE-113] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4 all versions, FortiO…
CVE-2026-50188 2026-07-09 Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins using the Kirby Http Remote class, including Remote::request(), Remote::get(), and Remote::post(), …
CVE-2025-71381 2026-06-30 Hono before 4.10.2 (fixed in 4.10.3) contains a flaw in its CORS middleware: when the origin is not set to "*", the middleware copies the Vary header from the incoming request into the response. Becau…
CVE-2026-55766 2026-06-23 guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.1, guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request metho…
CVE-2026-50269 2026-06-22 AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to in…
CVE-2026-50630 2026-06-12 A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage …
CVE-2026-44489 2026-06-11 Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Obje…
CVE-2026-49214 2026-06-11 guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulner…
CVE-2026-43966 2026-06-08 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields …
CVE-2026-48596 2026-06-02 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_para…
CVE-2026-38967 2026-06-02 CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
CVE-2026-38978 2026-06-02 transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths.
CVE-2026-47675 2026-05-28 Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters tha…
CVE-2026-9658 2026-05-28 Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the re…
CVE-2026-44214 2026-05-26 eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage be…
CVE-2026-42578 2026-05-13 Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicit…
CVE-2026-7010 2026-05-11 HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host th…
CVE-2026-42874 2026-05-11 Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n seq…
CVE-2026-41683 2026-05-08 i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language…

曾用名

  • HTTP Response Splitting (2008-04-11, Draft 9)
  • Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting') (2009-05-27, 1.4)
  • Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (2010-06-21, 1.9)
  • Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (2022-06-28, 4.8)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated References, Potential_Mitigations, Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Relationships, Observed_Example, Other_Notes, References, Taxonomy_Mappings
2008-10-14 CWE Content Team 1.0.1 updated Description
2008-11-24 CWE Content Team 1.1 updated Description, Other_Notes
2009-03-10 CWE Content Team 1.3 updated Demonstrative_Examples
2009-05-27 CWE Content Team 1.4 updated Name
2009-07-27 CWE Content Team 1.5 updated Demonstrative_Examples, Potential_Mitigations
2009-10-29 CWE Content Team 1.6 updated Common_Consequences, Description, Other_Notes, Theoretical_Notes
2010-02-16 CWE Content Team 1.8 updated Taxonomy_Mappings
2010-06-21 CWE Content Team 1.9 updated Description, Name
2011-03-29 CWE Content Team 1.12 updated Potential_Mitigations
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Description
2012-05-11 CWE Content Team 2.2 updated Common_Consequences, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-06-23 CWE Content Team 2.7 updated Demonstrative_Examples
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2015-12-07 CWE Content Team 2.9 updated Relationships
2017-05-03 CWE Content Team 2.11 updated Related_Attack_Patterns
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms, Demonstrative_Examples
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Potential_Mitigations, Relationships, Type
2020-06-25 CWE Content Team 4.1 updated Potential_Mitigations
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-06-28 CWE Content Team 4.8 Critical Extended the abstraction of this entry to include both HTTP request and response splitting.
2022-06-28 CWE Content Team 4.8 updated Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Theoretical_Notes
2022-10-13 CWE Content Team 4.9 updated Demonstrative_Examples, Related_Attack_Patterns
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2024-11-19 CWE Content Team 4.16 updated Demonstrative_Examples
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities

貢獻

類型 名稱 日期 評論
Content Jonathan Leitschuh 2022-02-25 Suggested a new entry for HTTP Request Splitting, leading to scope expansion for CWE-113
cvelogic Threat Intelligence