^{CVE-2020-11709:}CRLF Injection Vulnerability in cpp-httplib through 0.5.8

Overview

The vulnerability (CVE-2020-11709) affects cpp-httplib, a C++ HTTP/HTTPS server and client library, in versions through 0.5.8. The issue stems from insufficient input validation where the library fails to sanitize or escape CRLF sequences (\r\n) in user-controlled input that is later used in HTTP headers. When an application uses the affected set_redirect or set_header functions with unsanitized user input, attackers can manipulate HTTP responses by injecting additional headers or splitting the response into multiple parts. This type of vulnerability falls under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as injection flaws.

Remediation

To remediate this vulnerability, the following actions are recommended:

1. Upgrade cpp-httplib to a version newer than 0.5.8 that contains the fix for this vulnerability.
2. If upgrading is not immediately possible, implement additional validation for any user-supplied input that is passed to the set_redirect or set_header functions to ensure CRLF sequences are properly escaped or removed.
3. Consider implementing a middleware or wrapper function that sanitizes inputs before they are passed to these vulnerable functions.
4. Review application code for instances where user-controlled data is used in HTTP header construction and ensure proper validation is in place.
5. Implement HTTP response headers like Content-Security-Policy to mitigate potential impacts of successful exploitation.

References

1. Vulnerability details and proof of concept: https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495
2. Issue report on GitHub: https://github.com/yhirose/cpp-httplib/issues/425
3. CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component: https://cwe.mitre.org/data/definitions/74.html
4. OWASP HTTP Response Splitting: https://owasp.org/www-community/attacks/HTTP_Response_Splitting