Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Token possession is a privilege prerequisite mapping to PR:L; once held, crafting the injection link is straightforward (AC:L), with S:C reflecting downstream browser or cache impact.
Primary rating from Vendor (fortinet).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
An Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability [CWE-113] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions may allow an attacker in possession of a valid web filter override token to inject arbitrary headers via tricking a user into clicking on a crafted link.
AnalysisAI
HTTP Response Splitting in Fortinet FortiOS and FortiProxy enables an attacker who holds a valid web filter override token to inject arbitrary HTTP headers into server responses by tricking a user into clicking a crafted link. Affected versions span FortiOS 7.2 through 7.6.4 and FortiProxy 7.2 through 7.6.4. No active exploitation has been confirmed by CISA KEV, though the CVSS temporal vector includes E:P, indicating partial proof-of-concept evidence exists. Real-world impact is constrained by the requirement to possess a valid web filter override token and to achieve user interaction.
Technical ContextAI
HTTP Response Splitting (CWE-113) arises when user-controlled data containing CRLF sequences (\r\n) is incorporated into HTTP response headers without sanitization, allowing an attacker to terminate one response header and inject additional headers or even a fabricated response body. In this case, the vulnerable attack surface is the web filter override mechanism within FortiOS and FortiProxy - a feature that allows authorized users to bypass category-based web filtering using a token. CPE data confirms affected products are cpe:2.3:a:fortinet:fortios, cpe:2.3:a:fortinet:fortiproxy, and cpe:2.3:a:fortinet:fortipam. The S:C (Changed Scope) in the CVSS vector reflects that the injected headers may affect a component beyond the FortiOS/FortiProxy instance itself, such as the victim's browser cache or downstream proxy, which is characteristic of response splitting primitives enabling cache poisoning or cross-site scripting.
RemediationAI
Consult the Fortinet FortiGuard advisory FG-IR-26-152 at https://fortiguard.fortinet.com/psirt/FG-IR-26-152 for exact patched build versions; the CVSS temporal marker RL:O confirms an official fix has been released, but specific fix version numbers are not available in the provided input data and should not be assumed. As a compensating control where immediate patching is not feasible, administrators should audit and revoke web filter override tokens for users who do not strictly require them, reducing the pool of tokens an attacker could obtain or abuse. Additionally, user awareness training to avoid clicking unsolicited links from untrusted parties mitigates the UI:R requirement. Disabling the web filter override feature entirely eliminates the attack surface if the feature is not operationally required, though this will prevent legitimate override workflows. Restricting access to the FortiOS/FortiProxy management and web filtering interfaces to trusted networks also reduces exposure.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9
Cross-site scripting (XSS) vulnerability in the sslvpn login page in Fortinet FortiOS 5.2.x before 5.2.3 allows remote a
FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/do
Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 an
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0
A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to Execute unauthor
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthor
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to exec
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210465
GHSA-cm5j-986p-jqrj