Security Advisory Description
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. (CVE-2020-26137)
Impact
An attacker may use this vulnerability to inject additional HTTP headers via the HTTP method, which allows the attacker to perform a smuggling attack and/or allow a client to bypass HTTP headers with security purpose.