Improper header parsing. An attacker could sneak in a newline (\n
) into both the header names and values. While the specification states that \r\n\r\n
is used to terminate the header list, many servers in the wild will also accept \n\n
.
The issue is patched in 1.0.12.
There are no known workarounds.
{ "nvd_published_at": null, "github_reviewed_at": "2023-04-21T20:27:12Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-436" ] }