CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
69.9%
An attacker could sneak in a newline (\n
) into both the header names and values. While the specification states that \r\n\r\n
is used to terminate the header list, many servers in the wild will also accept \n\n
. An attacker that is able to control the header names that are passed to Slilm-Psr7 would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote serviceβs web application firewall bans the application due to the receipt of malformed requests.
The issue is patched in 1.6.1, 1.5.1, and 1.4.1.
In Slim-Psr7 prior to 1.6.1, 1.5.1, and 1.4.1, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().
We are very grateful to and thank <a href=βhttps://gjcampbell.co.uk/β>Graham Campbell</a> for reporting and working with us on this issue.
github.com/slimphp/Slim-Psr7
github.com/slimphp/Slim-Psr7/commit/ed1d553225dd190875d8814c47460daed4b550bb
github.com/slimphp/Slim-Psr7/issues/284#issuecomment-1541328898
github.com/slimphp/Slim-Psr7/releases/tag/1.4.1
github.com/slimphp/Slim-Psr7/releases/tag/1.5.1
github.com/slimphp/Slim-Psr7/releases/tag/1.6.1
github.com/slimphp/Slim-Psr7/security/advisories/GHSA-q2qj-628g-vhfw
nvd.nist.gov/vuln/detail/CVE-2023-30536
www.rfc-editor.org/rfc/rfc7230#section-3.2.4