Skip to main content

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVE-2024-45302

Severity Medium
Score 6.1/10

Summary

RestSharp is a Simple REST and HTTP API Client for .NET. The second argument to `RestRequest.AddHeader` (the header value) is vulnerable to CRLF injection. The same applies to `RestRequest.AddOrUpdateHeader` and `RestClient.AddDefaultHeader`. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method which does not check for CRLF characters in the header value. This means that any headers from a `RestSharp.RequestHeaders` object are added to the request in such a way that they are vulnerable to CRLF injection. In general, CRLF injection into an HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the RestSharp library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF injection. This is not necessarily a security issue for a command-line application like the one above. Still, if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking, this is a potential vulnerability in applications using RestSharp, not in RestSharp itself, but at the very least there needs to be a warning about this behaviour in the RestSharp documentation. All users are advised to upgrade. There are no known workarounds for this vulnerability. This issue affects RestSharp versions 107.0.0-preview.1 prior to 111.4.2-alpha.0.3.

  • LOW
  • LOCAL
  • NONE
  • UNCHANGED
  • REQUIRED
  • NONE
  • LOW
  • HIGH

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Advisory Timeline

  • Published