GHSA-fv92-fjc5-jj9h
CRLF Injection vulnerability in v2 (Go)
What is GHSA-fv92-fjc5-jj9h About?
This vulnerability is a CRLF injection in Tornado's `curl_httpclient.CurlAsyncHTTPClient` that fails to validate carriage return/line feed characters in request headers. This can lead to arbitrary header injection or new request creation, potentially facilitating SSRF. Exploitation is straightforward if an application includes attacker-controlled header values.
Affected Software
Technical Details
The curl_httpclient.CurlAsyncHTTPClient class in Tornado is vulnerable to CRLF injection because it does not sanitize or reject carriage return (\r) or line feed (\n) characters in HTTP request headers before passing them to libcurl. libcurl itself does not validate these characters in the CURLOPT_HTTPHEADER option. An attacker can inject \r\n sequences into a header value, effectively terminating the current header and injecting new arbitrary headers. By chaining multiple \r\n sequences, an attacker can even terminate the header section entirely and inject a completely new HTTP request body or initiate a new request to a different path or host, enabling server-side request forgery (SSRF) or HTTP request smuggling.
What is the Impact of GHSA-fv92-fjc5-jj9h?
Successful exploitation may allow attackers to inject arbitrary HTTP headers, create new HTTP requests, or facilitate server-side request forgery (SSRF), potentially leading to unauthorized access, information disclosure, or further network exploitation.
What is the Exploitability of GHSA-fv92-fjc5-jj9h?
Exploitation of this CRLF injection vulnerability is of low to medium complexity. It requires the application to use CurlAsyncHTTPClient and to include attacker-controlled data directly into HTTP request headers without proper sanitization. No specific authentication or privilege is required beyond the ability to influence a header value. This is typically a remote attack if the vulnerable application makes external HTTP requests based on user input. Key constraints are the presence of the CurlAsyncHTTPClient and insufficient input validation. The risk factors are high for applications that use this client to forward or construct HTTP requests with user-supplied data in headers, making SSRF vulnerabilities easier to achieve.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-fv92-fjc5-jj9h?
Available Upgrade Options
- github.com/go-viper/mapstructure/v2
- <2.3.0 → Upgrade to 2.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to GHSA-fv92-fjc5-jj9h?
Similar Vulnerabilities: CVE-2020-14002 , CVE-2021-37703 , CVE-2020-11005 , CVE-2023-45133 , CVE-2023-49080
