CWE-93 CRLF Injection

What this means

SiteShadow flagged untrusted input that may include CRLF characters (\r\n) being used in outputs like headers, redirects, logs, or generated responses.

Why it matters

CRLF injection can split responses or inject headers.

• Attackers may be able to inject headers, including Set-Cookie in some contexts.
• Can contribute to cache poisoning or response manipulation depending on where it lands.

Safer examples

1) Reject \r and \n in header/redirect values

function rejectCRLF(value) {
  if (/[\\r\\n]/.test(value)) throw new Error("Invalid characters");
  return value;
}

2) Don't put user input directly into headers

Use server-generated values or allowlists (see CWE-113).

3) Use framework APIs rather than manual header concatenation

Framework helpers often normalize safely; avoid building raw header strings.

How SiteShadow detects it (high level)

• Flags header/redirect setters using request-derived values.
• Detects patterns that allow CRLF sequences to enter headers or response metadata.

References

• CWE-93: https://cwe.mitre.org/data/definitions/93.html

---

← Back to Vulnerability Library