logo

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Draft Base
Structure: Simple
Description

This vulnerability occurs when an application uses carriage return and line feed characters (CRLF) to structure data, like separating lines or records, but fails to properly sanitize these sequences from user-supplied input before processing.

This vulnerability occurs when an application uses carriage return and line feed characters (CRLF) to structure data, like separating lines or records, but fails to properly sanitize these sequences from user-supplied input before processing.
Extended Description

CRLF injection, often called 'HTTP Response Splitting' in web contexts, happens because attackers can inject the characters \r\n (CRLF) into input fields. When this unsanitized input is later used to construct structured outputs like HTTP headers, log files, or email headers, the injected characters can create new lines or entries. This allows attackers to manipulate the application's behavior, forge log entries, or inject malicious content that other users might see. To prevent this, developers must rigorously validate and sanitize all user-controlled data that influences output formatting. This involves encoding or stripping CRLF sequences (\r, \n, and their encoded equivalents like %0d%0a) before the data is used in any context where these characters have special meaning, such as HTTP responses, generated files, or system commands.
Common Consequences 1
Scope: Integrity

Impact: Modify Application Data
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 2
Phase: Implementation
Avoid using CRLF as a special sequence.
Phase: Implementation
Appropriately filter or quote CRLF sequences in user-controlled input.
Demonstrative Examples 2

ID : DX-224

The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.

Code Example:

Bad
Java
java
Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:

Code Example:

Result
bash
However, because the value of the cookie is composed of unvalidated user input, the response will only maintain this form if the value submitted for AUTHOR_PARAM does not contain any CR and LF characters. If an attacker submits a malicious string, such as

Code Example:

Attack
bash
then the HTTP response would be split into two responses of the following form:

Code Example:

Result
bash
The second response is completely controlled by the attacker and can be constructed with any header and body content desired. The ability to construct arbitrary HTTP responses permits a variety of resulting attacks, including:
- cross-user defacement - web and browser cache poisoning - cross-site scripting - page hijacking
If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

Code Example:

Bad
Java
java
Observed Examples 6
CVE-2002-1771CRLF injection enables spam proxy (add mail headers) using email address or name.
CVE-2002-1783CRLF injection in API function arguments modify headers for outgoing requests.
CVE-2004-1513Spoofed entries in web server log file via carriage returns
CVE-2006-4624Chain: inject fake log entries with fake timestamps using CRLF injection
CVE-2005-1951Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
CVE-2004-1687Chain: HTTP response splitting via CRLF in parameter related to URL.
References 3
CRLF Injection
Ulf Harnhammar
Bugtraq
07-05-2002
http://marc.info/?l=bugtraq&m=102088154213630&w=2
ID: REF-928
CRLF Injection
Imperva
https://www.imperva.com/learn/application-security/crlf-injection//(2025-02-21)
ID: REF-1456
CRLF injection
R00tendo
25-02-2024
https://medium.com/@R00tendo/crlf-injection-ae26521c5e4c(2025-02-21)
ID: REF-1457
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
CanPrecede: Improper Output Neutralization for Logs (CWE-117)
Taxonomy Mapping
  • PLOVER
  • OWASP Top Ten 2007
  • WASC
  • Software Fault Patterns