Skip to main content

Microdot CVE-2026-42874

LOW
HTTP Response Splitting (CWE-113)
2026-05-05 https://github.com/miguelgrinberg/microdot
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 19:30 vuln.today
Analysis Generated
May 05, 2026 - 19:30 vuln.today

DescriptionGitHub Advisory

Impact

The Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks.

For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe.

Patches

Upgrade to version 2.6.1.

Workarounds

Do not pass untrusted data to the Response.set_cookie() method.

AnalysisAI

HTTP response splitting in Microdot's Response.set_cookie() method allows header injection attacks when an attacker-controlled XSS payload reaches the server and is stored as a cookie value. The vulnerability stems from unsanitized carriage return and linefeed characters (\r\n) in cookie parameters, enabling an attacker to inject arbitrary HTTP headers. Exploitation requires prior client-side compromise (XSS), limiting the attack to a single compromised client per incident.

Technical ContextAI

Microdot is a lightweight Python web framework (pip package microdot). The vulnerability exists in the Response.set_cookie() method, which handles HTTP Set-Cookie headers. CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers) defines the root cause: the method fails to detect or escape carriage return (\r, 0x0d) and linefeed (\n, 0x0a) bytes in cookie name, value, domain, and path parameters. These bytes are valid HTTP header delimiters; when injected into a Set-Cookie header, they allow an attacker to synthesize additional HTTP headers or terminate the header block prematurely, leading to response splitting. The fix validates the entire constructed HTTP cookie string and raises a ValueError if CRLF sequences are detected, preventing malformed headers from being transmitted.

RemediationAI

Upgrade Microdot to version 2.6.1 or later, which adds validation to reject any cookie parameters containing carriage return or linefeed characters. Apply this patch immediately across all environments running Microdot applications that accept user input destined for cookies. Until patched, avoid passing untrusted or user-controlled data directly to Response.set_cookie(); if user input must be stored in cookies, sanitize it at the application level by stripping or encoding CRLF sequences before passing to set_cookie(). The patch reference is available at https://github.com/miguelgrinberg/microdot/commit/99b281b45faef8472410f2d56bfef496dfbd95d5. Note that the underlying application XSS vulnerability that allows an attacker to inject malicious cookie data in the first place must also be remediated; this patch alone does not protect against XSS, only against the server's unsafe handling of CRLF in cookies.

Share

CVE-2026-42874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy