CVE-2026-38967
Response Header Injection in CrowCpp HTTP Server
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crowcpp | crow | 1.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-38967 is a security vulnerability in the CrowCpp Crow framework (up to version 1.3.1) where HTTP response header injection is possible due to unvalidated response header values.
The vulnerability occurs because the framework does not properly sanitize Carriage Return (CR) and Line Feed (LF) characters in header names and values before including them in HTTP responses.
Attackers can exploit this by injecting CR/LF sequences into user-controlled input that is reflected in response headers, allowing them to inject malicious headers or split HTTP responses.
This can lead to response splitting attacks, where attackers manipulate HTTP headers to inject fake cookies, modify security headers, or interfere with caching and proxy behavior.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts by allowing attackers to manipulate HTTP response headers.
- Inject fake cookies to hijack or impersonate user sessions.
- Modify or bypass security headers, weakening protections like Content Security Policy or HTTP Strict Transport Security.
- Cause cache poisoning, leading to serving malicious or stale content to users.
- Manipulate downstream proxies or intermediaries by injecting unexpected headers.
Overall, the vulnerability breaks HTTP response integrity and can be leveraged for various attacks that compromise application security and user trust.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if HTTP response headers contain unexpected or injected header lines caused by unfiltered carriage return (CR) and line feed (LF) characters in header values.
One practical method is to test if user-controlled input reflected in response headers can inject additional headers by including encoded CR/LF sequences such as %0d%0a in the input.
For example, if an application uses a header like X-Echo that reflects a query parameter, you can send a request with a value containing %0d%0aInjected:%20yes and observe if the response headers include an injected 'Injected: yes' header line.
You can use command-line tools like curl combined with grep or similar to inspect raw HTTP response headers. For example:
- curl -i 'http://yourserver/path?param=%0d%0aInjected:%20yes' | grep -i 'Injected'
- Use a network traffic capture tool like Wireshark or tcpdump to capture HTTP responses and look for unexpected header lines or header splitting.
- Inspect server logs or application logs for suspicious header values containing CR or LF characters.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to sanitize HTTP response header values by stripping out carriage return (CR) and line feed (LF) characters before they are inserted into response headers.
Updating the CrowCpp/Crow framework to a version that includes the fix for this vulnerability (post v1.3.1) is recommended, as the fix introduces in-place sanitization of header values to prevent injection.
If updating is not immediately possible, implement input validation or sanitization in your application code to remove or encode CR and LF characters from any user-controlled input that is reflected in response headers.
Avoid reflecting user input directly into HTTP headers without proper filtering.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CrowCpp Crow allows HTTP response header injection via unvalidated header values, enabling attackers to manipulate headers, inject fake cookies, split responses, or bypass security controls.
Such attacks can compromise the integrity and confidentiality of HTTP responses, potentially leading to unauthorized data exposure or manipulation.
This undermines security controls that are critical for compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and tampering.
Therefore, if exploited, this vulnerability could negatively impact an organization's ability to meet these regulatory requirements by exposing data or enabling attacks that violate data protection principles.