Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Affecting crow package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.16% (38th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CONAN-CROW-10075485
  • published8 May 2025
  • disclosed5 Jun 2023
  • creditAlessio Della Libera - Snyk Research Team

Introduced: 5 Jun 2023

CVE-2023-26142  (opens in a new tab)
CWE-113  (opens in a new tab)
First added by Snyk

How to fix?

There is no fixed version for crow.

Overview

Affected versions of this package are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.

References

CVSS Base Scores

version 3.1