CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Avoid using CRLF as a special sequence.
Phase
Description
Appropriately filter or quote CRLF sequences in user-controlled input.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
Assuming a string consisting of standard alpha-numeric characters, such as "Jane Smith", is submitted in the request the HTTP response including this cookie might take the following form:
If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.
Observed CVE Examples (6)
CRLF injection enables spam proxy (add mail headers) using email address or name.
View DetailsCRLF injection in API function arguments modify headers for outgoing requests.
View DetailsChain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')?+
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
What are the security consequences of Improper Neutralization of CRLF Sequences ('CRLF Injection')?+
If exploited, CWE-93 (Improper Neutralization of CRLF Sequences ('CRLF Injection')) it can compromise Integrity, leading to outcomes such as Modify Application Data.
How do you prevent or mitigate Improper Neutralization of CRLF Sequences ('CRLF Injection')?+
Recommended mitigations for CWE-93 include: Avoid using CRLF as a special sequence. Appropriately filter or quote CRLF sequences in user-controlled input.
Which programming languages are affected by Improper Neutralization of CRLF Sequences ('CRLF Injection')?+
CWE-93 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Improper Neutralization of CRLF Sequences ('CRLF Injection')?+
MITRE documents real CVEs mapped to CWE-93, including CVE-2002-1771, CVE-2002-1783, CVE-2004-1513, CVE-2006-4624 and CVE-2005-1951. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-93 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.