CRLF Injection

Injecting CR / LF byte pairs into headers lets an attacker inject extra headers, split responses, or smuggle requests.

Definition

CRLF injection is the bug class that arises when an application includes user input in an HTTP header, an SMTP header, or any other line-oriented protocol without filtering carriage-return / line-feed sequences. Because CRLF is the protocol's record separator, an injected `\r\n` lets the attacker terminate the current header and start a new one — frequently a security-relevant one (`Set-Cookie`, `Location`, `Content-Type`).

The most damaging variant is HTTP response splitting: an attacker who can inject CRLF into a response header inserts an entire second response (with its own status line, headers, and body) that downstream caches may treat as canonical.

How it works

The application reads a value from a query parameter and emits it into a header — for example, a redirect endpoint that emits `Location: <input>`. The attacker submits an input containing `\r\nSet-Cookie: session=evil`. The output stream now contains two headers; the cookie is attached to the response, and a shared cache may serve it to other users.

Impact

Header injection, cache poisoning, XSS through forged Content-Type, session fixation via attacker-controlled cookies.

Mitigation

Strip or reject CR / LF from any user input that will appear in a header. Modern HTTP libraries do this by default — but bespoke header-emitting code in legacy applications often does not. Treat any code path that builds a header from input as security-critical.

Examples

  • CVE-2019-0220 — Apache mod_rewrite CRLF injection in normalised URLs.

See also

References