Improper header validation in httpsoft/http-message

2023-04-2120:27:12

Google

osv.dev

improper header parsing

newline injection

vulnerability

httpsoft

header validation

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.003 Low

EPSS

Percentile

65.6%

JSON

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.0.12.

Workarounds

There are no known workarounds.

References

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

CPENameOperatorVersion
httpsoft/http-messageeq1.0.2
httpsoft/http-messageeq1.0.6
httpsoft/http-messageeq1.0.3
httpsoft/http-messageeq1.0.1
httpsoft/http-messageeq1.0.0
httpsoft/http-messageeq1.0.4
httpsoft/http-messageeq1.0.7
httpsoft/http-messageeq1.0.5
httpsoft/http-messageeq1.0.9
httpsoft/http-messageeq1.0.10

Name	Operator	Version
httpsoft/http-message	eq	1.0.2
httpsoft/http-message	eq	1.0.6
httpsoft/http-message	eq	1.0.3
httpsoft/http-message	eq	1.0.1
httpsoft/http-message	eq	1.0.0
httpsoft/http-message	eq	1.0.4
httpsoft/http-message	eq	1.0.7
httpsoft/http-message	eq	1.0.5
httpsoft/http-message	eq	1.0.9
httpsoft/http-message	eq	1.0.10