CRLF injection in urllib3
Moderate severity
GitHub Reviewed
Published
Jun 18, 2021
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Sep 30, 2020
Reviewed
Jun 17, 2021
Published to the GitHub Advisory Database
Jun 18, 2021
Last updated
Nov 18, 2024
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of
putrequest()
. NOTE: this is similar to CVE-2020-26116.References