Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values.
AnalysisAI
HTTP response header injection in CrowCpp Crow through v1.3.1 allows remote attackers to inject arbitrary CR/LF sequences into response headers when application code passes unvalidated input to header-setting APIs. The flaw stems from the framework not stripping \r\n characters in header keys or values, enabling CRLF injection that can lead to response splitting, cache poisoning, or XSS depending on how the embedding application uses user input. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the upstream fix in PR #1167 confirms the issue and provides a sanitization routine.
Technical ContextAI
Crow is a C++ header-only micro web framework (similar in design to Python's Flask) used to build HTTP servers and REST APIs in C++ applications. The root cause is CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers / HTTP Response Splitting): the framework's response and request header setters in include/crow/http_response.h and include/crow/http_request.h accepted arbitrary strings as header keys and values without filtering carriage-return (\r) or line-feed (\n) bytes. Because HTTP uses CRLF as a delimiter between headers and between headers and the body, an attacker-controlled value containing \r\n can terminate the current header early and inject additional headers or even a full second response. The upstream patch (PR #1167) introduces a sanitize_header_value() helper that strips \r and \n from both keys and values at the point where headers are set, and adds a demonstration example (helloworld_inject.cpp) showing the unsafe set_header("X-Custom", "safe\r\nInjected: yes") pattern.
RemediationAI
Upstream fix available via GitHub PR https://github.com/CrowCpp/Crow/pull/1167, which adds a sanitize_header_value() routine that strips \r and \n from header keys and values in both http_request.h and http_response.h; a released patched version is not independently confirmed in the provided data, so consumers should pull the post-PR-1167 commit from the CrowCpp/Crow repository and rebuild, or wait for a tagged release after v1.3.1. As a code-level workaround until the upgrade lands, audit every call site that invokes res.set_header(), res.add_header(), or request header setters with non-literal data and wrap the value with an equivalent strip of \r and \n before passing it in - note this requires source changes and a rebuild since Crow is header-only. At the perimeter, a reverse proxy or WAF (nginx, HAProxy, Envoy, ModSecurity) can be configured to drop or reject upstream responses containing bare CRLF inside header values, with the trade-off that strict header validation may break legitimate multi-line legacy headers and adds an extra hop. Avoid disabling Crow's header API as a mitigation since that would break normal application functionality.
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34020
GHSA-jjvh-j394-wqm7