CVE-2026-29046
Header Injection Vulnerability in TinyWeb CGI Environment Variables
Publication date: 2026-03-06
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ritlabs | tinyweb | to 2.04 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| CWE-114 | Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29046 is a critical vulnerability in TinyWeb versions prior to 2.04 related to how the web server parses HTTP request headers and maps them into CGI environment variables. The server did not properly reject dangerous control characters such as carriage return (CR), line feed (LF), and null bytes (NUL), including their encoded forms (%0d, %0a, %00).
Because of this insufficient validation, attackers could inject these control characters into HTTP headers, causing confusion across parser boundaries and unsafe data being passed to CGI scripts. This can lead to header injection, request smuggling, or bypassing script-side validation.
The root cause is the lack of strict normalization and rejection of malformed headers before they reach the CGI execution context, violating HTTP standards such as RFC 9110, RFC 9112, and RFC 3875.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts including allowing attackers to inject malicious control characters into HTTP headers, which can confuse the server's parsing logic and CGI environment."}, {'type': 'paragraph', 'content': 'Such injection can lead to header injection attacks, request smuggling, bypassing of validation logic in CGI scripts, and potentially cause reliability degradation or denial-of-service conditions.'}, {'type': 'paragraph', 'content': 'Because the vulnerability requires no privileges or user interaction and can be exploited remotely over the network, it poses a high risk to the integrity and moderate risk to the availability of affected systems.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted HTTP requests containing dangerous control characters such as carriage return (CR), line feed (LF), null bytes (NUL), or their encoded forms (%0d, %0a, %00) in HTTP header values. If the server accepts these malformed headers and maps them into CGI environment variables without proper rejection, it is vulnerable.'}, {'type': 'paragraph', 'content': 'Proof-of-concept tests include sending headers like "X-Test: ok%0d%0aInjected: yes" or "X-Test: abc%00def" and observing if the server responds with a 400 Bad Request or improperly processes the request.'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can use tools like curl or netcat to send such crafted requests and observe the server response.'}, {'type': 'list_item', 'content': 'Using curl to send a header with encoded CRLF injection: curl -v -H "X-Test: ok%0d%0aInjected: yes" http://target-server/'}, {'type': 'list_item', 'content': "Using curl to send a header with encoded NUL byte: curl -v -H $'X-Test: abc\\0def' http://target-server/"}, {'type': 'list_item', 'content': 'Monitor server responses for 400 Bad Request status or unexpected behavior indicating acceptance of malformed headers.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade TinyWeb to version 2.04 or later, where this vulnerability has been patched.
The patch enforces strict HTTP header parsing that rejects any header lines containing raw or encoded NUL, CR, or LF bytes, disallows obsolete line folding, and enforces strict header name grammar.
If upgrading is not immediately possible, consider implementing network-level protections such as web application firewalls (WAFs) or intrusion detection systems (IDS) that can detect and block HTTP requests containing suspicious control characters or malformed headers.
- Upgrade TinyWeb to version 2.04 or later.
- Configure the server or network devices to reject HTTP requests with control characters or malformed headers.
- Limit maximum header sizes and connection limits to reduce risk of denial-of-service attacks.
- Monitor server logs for unusual or malformed HTTP requests.