CRLF Injection

CRLF injection occurs when an attacker inserts carriage return (CR, %0d) and line feed (LF, %0a) characters into user-supplied input that is incorporated into HTTP response headers. Because HTTP uses CRLF sequences to delimit headers and separate headers from the body, injecting these characters allows the attacker to manipulate the structure of the HTTP response. This can result in HTTP response splitting, where a single server response is turned into two or more responses, enabling the attacker to control headers and body content delivered to the client.

By exploiting CRLF injection, an attacker can set arbitrary HTTP response headers, inject malicious cookies, or craft entirely new response bodies. This enables secondary attacks such as cross-site scripting (XSS), web cache poisoning, session fixation, and phishing through page content manipulation. The vulnerability is particularly dangerous because it undermines the trust boundary between HTTP headers and body content, allowing an attacker to control what the browser renders or how proxies cache responses.

Strip or reject carriage return (\r) and line feed (\n) characters from any user-supplied input before it is used in HTTP headers. Alternatively, percent-encode or otherwise neutralize CRLF sequences so they cannot be interpreted as header delimiters.

Use a web framework or HTTP library that automatically prevents CRLF sequences from being included in response headers. Most modern frameworks reject or sanitize header values containing newline characters by default.

Apply an allowlist-based validation approach for input that will be reflected in headers, such as redirect URLs or cookie values. Ensure that only expected, safe characters are permitted.