Crow
CVE-2023-26142
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.
AnalysisAI
All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-113. All versions of the package crow are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values. Header values are not properly sanitized against CRLF Injection in the set_header and add_header functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content. Affected products include: Crowcpp Crow.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
HTTP applications (servers) based on Crow through 1.0+4 may allow a Use-After-Free and code execution when HTTP pipelini
Crow before 1.0+4 has a heap-based buffer overflow via the function qs_parse in query_string.h. Rated critical severity
HTTP applications (servers) based on Crow through 1.0+4 may reveal potentially sensitive uninitialized data from stack m
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today