Skip to content

CRLF Injection

Description

CRLF occurs when an attacker can abuse the carriage return character (\r) and a newline character () in an HTTP request in order to inject new headers or a new body for the HTTP request. This attack is a very dangerous attack as it can give the attacker the ability to create whatever request he wants.

Remediation

The only way to prevent CRLF attacks is to carefully sanitize every message that is sent by the client.

GraphQL Specific

Apollo To prevent CRLF (Carriage Return Line Feed) injection attacks in the Apollo framework, ensure that user input is properly sanitized before being used in HTTP headers or any other outputs. Implement strict input validation to reject any input containing CRLF characters. Additionally, use built-in security features of the framework and libraries for setting HTTP headers to automatically encode potentially dangerous characters. Regularly update the Apollo framework and its dependencies to incorporate security patches that may address CRLF vulnerabilities.
Yoga To mitigate CRLF (Carriage Return Line Feed) injection vulnerabilities in the Yoga framework engine, ensure that user input is properly sanitized before being used in output functions. Implement strict input validation to reject any input containing CRLF characters or sequences. Additionally, use context-aware encoding functions to encode output according to the specific context in which it is rendered (e.g., HTML, URL, JavaScript). It is also advisable to set appropriate HTTP headers such as 'Content-Type' and 'Content-Disposition' to prevent content sniffing that could lead to CRLF injection attacks.
Awsappsync To mitigate CRLF (Carriage Return Line Feed) injection vulnerabilities in AWS AppSync, ensure that all user-supplied input is properly sanitized before being processed. Implement input validation to reject any input containing CRLF characters or sequences. Additionally, use built-in AWS AppSync security features to encode and handle data safely. Regularly update and review security policies to prevent injection attacks.
Graphqlgo To mitigate CRLF (Carriage Return Line Feed) injection vulnerabilities in a GraphQL Go framework engine, ensure that user input is properly sanitized before being processed. Implement strict input validation to reject any input containing CRLF characters or sequences. Additionally, use context-aware escaping functions when handling user input to prevent the injection of arbitrary CRLF sequences into headers or other sensitive parts of the HTTP response. Regularly review and update your security practices to address new and emerging threats.
Graphqlruby To prevent CRLF (Carriage Return Line Feed) injection attacks in the GraphQL Ruby framework, ensure that user-supplied input is properly sanitized before being used in HTTP headers or any other outputs. Utilize built-in Ruby methods to encode or escape special characters, and consider implementing a robust input validation library to enforce strict input patterns. Additionally, set response headers to treat the content as data, not as executable code, by using content type headers like 'Content-Type: text/plain' for plain text responses.
Hasura To mitigate CRLF (Carriage Return Line Feed) injection vulnerabilities in the Hasura framework, ensure that user input is properly sanitized before being used in any context. Implement strict input validation to reject any suspicious or malformed input. Additionally, configure Hasura's built-in security features to encode or escape CRLF sequences in both URLs and headers to prevent response splitting attacks. Regularly review and update your security practices to address new threats.
Agoo Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly encoded or removed before processing HTTP requests in the Agoo framework engine.
Ariadne Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly encoded or removed before processing HTTP requests in the Ariadne framework engine.
Caliban Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly encoded or removed before processing HTTP requests in the Caliban framework engine.
Dgraph Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly escaped or removed before processing HTTP requests in the Dgraph framework.
Dianajl Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly encoded or removed before processing HTTP requests in the DianaJL framework engine.
Directus Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly escaped or removed before processing HTTP requests in the Directus framework.
Flutter Validate and sanitize all user inputs to prevent CRLF injection in HTTP requests within the Flutter framework. Use libraries or built-in functions that automatically handle special characters and ensure that any input used in HTTP headers or bodies is properly encoded.
Graphene Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly escaped or removed before processing HTTP requests in the Graphene framework.
Graphqlapiforwp Ensure that all user inputs are properly sanitized and validated before being processed by the GraphQL API. Implement input validation mechanisms to strip or encode CRLF characters, and use libraries or frameworks that automatically handle such sanitization to prevent CRLF injection vulnerabilities.
Graphqlgophergo Sanitize and validate all user inputs to ensure that CRLF characters are not included in any GraphQL queries or mutations. Use libraries or built-in functions to escape or remove these characters before processing the input.
Graphqljava Validate and sanitize all user inputs to ensure that CRLF characters are not included in any GraphQL queries or mutations. Additionally, use libraries or middleware that automatically escape or handle special characters to prevent injection attacks.
Graphqlphp Sanitize and validate all user inputs to prevent CRLF injection in GraphQL queries and responses. Ensure that any dynamic content is properly encoded and avoid directly inserting user input into HTTP headers or responses.
Graphqlyoga Validate and sanitize all input data to prevent CRLF injection in the GraphQL Yoga framework. Ensure that user inputs are properly encoded and do not contain any unexpected carriage return or newline characters before processing them in HTTP requests.
Hypergraphql Validate and sanitize all user inputs to ensure that CRLF characters are not included, and use libraries or frameworks that automatically handle HTTP header construction to prevent injection vulnerabilities.
Jaal Sanitize and validate all user inputs to prevent CRLF injection in the Jaal framework engine by escaping or removing carriage return and newline characters.
Juniper Sanitize and validate all user inputs to ensure that CRLF characters are not included, and use built-in security features of the Juniper framework to handle HTTP headers safely.
Lacinia Sanitize and validate all user inputs to ensure that CRLF characters are not included, and use framework-provided methods to safely handle HTTP headers and responses.
Lighthouse Sanitize and validate all user inputs to prevent CRLF characters from being processed, and use libraries or frameworks that automatically handle input encoding and escaping.
Mercurius Sanitize and validate all user inputs to ensure that CRLF characters are not included, and use libraries or functions provided by the Mercurius framework to handle HTTP headers safely.
Morpheusgraphql Sanitize and validate all user inputs to prevent CRLF characters from being processed by the Morpheus GraphQL engine. Implement strict input validation and encoding practices to ensure that any carriage return and newline characters are properly handled or removed before processing requests.
Qglgen Validate and sanitize all user inputs to prevent CRLF characters from being processed. Use libraries or functions provided by the qglgen framework to ensure that input data is properly escaped or encoded before being included in HTTP headers or responses.
Sangria Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly escaped or removed before processing HTTP requests in the Sangria framework.
Shopify Sanitize and validate all user inputs to prevent CRLF injection by escaping or removing carriage return and newline characters in the Shopify framework.
Stepzen Validate and sanitize all user inputs to ensure that CRLF characters are not included, and use libraries or built-in functions provided by the StepZen framework to handle HTTP headers safely.
Strawberry Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly encoded or removed before processing HTTP requests in the Strawberry Framework engine.
Tartiflette Validate and sanitize all user inputs to ensure that CRLF characters are not included, and use Tartiflette's built-in mechanisms to handle HTTP headers safely.
Wpgraphql Sanitize and validate all user inputs to ensure that CRLF characters are not included in any HTTP headers or request parameters within the WPGraphQL framework.

REST Specific

Asp_net To prevent CRLF injection attacks in ASP.NET, encode user input before including it in HTTP headers or responses. Utilize the `HttpUtility.HtmlEncode` method for HTML output and `UrlEncode` for URL components. Additionally, set the `validateRequest` attribute to `true` in the web.config file to enable built-in request validation, and consider implementing a custom header validation routine to check for CRLF sequences.
Ruby_on_rails In Ruby on Rails, to prevent CRLF injection, ensure that user input is properly validated and encoded. Use built-in Rails methods such as `json_escape` to encode output and `strip` to remove unwanted carriage return and newline characters from user input. Additionally, set response headers explicitly using Rails' response object methods and avoid directly injecting user-controlled data into headers or responses.
Next_js To mitigate CRLF injection attacks in Next.js, ensure that user input is properly sanitized by encoding or escaping CRLF sequences before incorporating them into HTTP headers or responses. Utilize middleware or built-in functions to encode output, and rigorously validate and sanitize all user inputs to prevent the injection of malicious characters.
Laravel In Laravel, to prevent CRLF injection attacks, ensure that user input is properly sanitized before including it in HTTP headers. Use Laravel's built-in validation features to filter and escape input data. Additionally, avoid directly setting headers with user-supplied data and employ middleware that can strip out any CRLF characters from incoming requests.
Express_js To mitigate CRLF injection attacks in Express.js, ensure that user input is properly sanitized by escaping CRLF sequences. Use middleware such as `helmet` to set secure HTTP headers and employ libraries like `express-validator` to validate and sanitize input. Avoid directly injecting user content into headers or responses, and consistently encode output when dynamically generating web pages.
Django In Django, ensure that user input is properly escaped by using Django's built-in template system which automatically handles escaping. Additionally, use Django's HttpResponse objects to construct responses and avoid manually concatenating headers or body content. Always validate and sanitize input to prevent injection of arbitrary CRLF sequences.
Symfony In Symfony, to prevent CRLF injection attacks, ensure that any user input that is included in HTTP headers is properly sanitized. Use the 'Response' object to set headers instead of raw header functions, and employ the 'setHeader' method which automatically handles special characters. Additionally, validate and sanitize all user inputs to remove or encode carriage return ( ) and newline ( ) characters. Consider using Symfony's built-in functions and components, such as the 'HttpFoundation' component, to manage responses securely.
Spring_boot In Spring Boot applications, to prevent CRLF injection attacks, ensure that user input is properly validated and encoded. Use built-in security features such as HttpFirewall to restrict the characters allowed in URLs. Additionally, set 'server.tomcat.relaxed-query-chars' and 'server.tomcat.relaxed-path-chars' properties in application.properties to explicitly define which characters are permitted. Always encode user-controlled data before including it in HTTP headers to prevent malicious input from manipulating the response.
Flask In Flask, to prevent CRLF injection, ensure that user input is properly sanitized by escaping carriage return and newline characters. Use the `werkzeug` utility functions such as `escape()` to encode user input before incorporating it into HTTP headers or responses. Additionally, set response headers explicitly using Flask's `Response` object and avoid directly concatenating user-controlled data into headers or status lines.
Nuxt To prevent CRLF injection attacks in a Nuxt.js application, ensure that user input is properly sanitized before being included in HTTP headers or responses. Utilize libraries that encode or strip out CRLF characters from inputs, and always validate and escape user data based on the context in which it is used. Additionally, set up content security policies (CSP) to reduce the impact of any potential injection.
Fastapi In FastAPI, to prevent CRLF injection attacks, ensure that user input is properly sanitized by escaping CRLF characters. Use built-in security features such as automatic data validation and avoid directly passing user input to response headers or status codes. Implement strict input validation using Pydantic models to define acceptable patterns and types.
Frappe Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly escaped or removed before processing HTTP requests in the Frappe framework.
Genzio Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly encoded or removed before processing HTTP requests in the Genzio framework engine.
Gin Validate and sanitize all user inputs to ensure that CRLF characters are not present, and use built-in functions in the Gin framework to safely handle HTTP headers and responses.
Gorilla Sanitize and validate all user inputs to ensure that CRLF characters are not included, and use libraries or frameworks that automatically handle CRLF injection prevention.
Hapi Validate and sanitize all user inputs to ensure that CRLF characters are not included, and use Hapi's built-in input validation features to prevent injection attacks.
Hono Validate and sanitize all user inputs to ensure that CRLF characters are not present, and use framework-provided methods to safely handle HTTP headers and responses.
Jersey Validate and sanitize all user inputs to ensure that CRLF characters are not present, and use framework-provided methods to safely handle HTTP headers and responses in the Jersey framework.
Koa Sanitize and validate all user inputs to prevent CRLF injection in the Koa framework by using libraries like 'koa-body' to parse request bodies safely and ensure that any input used in HTTP headers is properly encoded.
Ktor Validate and sanitize all user inputs to ensure that CRLF characters are not included, and use Ktor's built-in features to handle headers safely.
Leptos Sanitize and validate all user inputs to ensure that carriage return and newline characters are properly escaped or removed before processing HTTP requests in the Leptos framework.
Macaron Validate and sanitize all user inputs to prevent CRLF characters from being processed. Use built-in functions in the Macaron framework to escape or remove these characters before processing HTTP requests.
Phoenix Sanitize and validate all user inputs to prevent CRLF injection in Phoenix Framework by using functions like `Plug.Conn.put_resp_header/3` to safely set headers, and ensure that any dynamic content is properly encoded or escaped.
Redwoodjs Ensure that all user inputs are properly sanitized and validated before being included in HTTP headers or responses. Utilize RedwoodJS's built-in security features and libraries to prevent CRLF injection by escaping or removing any carriage return and newline characters from user inputs.
Rocket Sanitize and validate all user inputs to ensure that CRLF characters are not included, and use framework-provided methods to safely handle HTTP headers and responses.
Sveltekit Sanitize and validate all user inputs to prevent CRLF injection in SvelteKit applications. Use built-in functions to escape special characters and ensure that any input used in HTTP headers or responses is properly encoded.

Configuration

Identifier: injection/crlf

Examples

Ignore this check

checks:
  injection/crlf:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API10:2023
  • OWASP LLM: LLM02:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 93

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References