FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-51501

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

Published: Nov 4, 2024 / Updated: 15d ago

010
CVSS 10EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Refit, an automatic type-safe REST library for .NET Core, Xamarin and .NET, has a vulnerability where the various header-related attributes (Header, HeaderCollection and Authorize) are susceptible to CRLF injection. The issue stems from the use of the `HttpHeaders.TryAddWithoutValidation` method, which does not check for CRLF characters in header values. This vulnerability allows for the injection of additional HTTP headers or the smuggling of whole HTTP requests when using HTTP/1.1.

Impact

If an application using the Refit library passes user-controllable values to headers, it becomes vulnerable to CRLF injection. In web applications, this can lead to request splitting, making the application susceptible to Server Side Request Forgery (SSRF). While this may not be a significant security issue for command-line applications, it poses a considerable risk in web application contexts. The vulnerability has a CVSS v4 base score of 10.0, which is rated as CRITICAL severity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in release version 8.0.0 of Refit. All users are advised to upgrade to this version or later.

Mitigation

The primary mitigation is to upgrade to Refit version 8.0.0 or later, which addresses this vulnerability. There are no known workarounds for this issue other than upgrading. Users should prioritize this update, especially for web applications using Refit. Additionally, as a general security practice, applications should avoid passing user-controllable values directly to HTTP headers without proper validation and sanitization.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Nov 4, 2024 at 10:22 AM
CVE Assignment

NVD published the first details for CVE-2024-51501

Nov 4, 2024 at 11:15 PM
CVSS

A CVSS base score of 2.3 has been assigned.

Nov 4, 2024 at 11:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-51501. See article

Nov 4, 2024 at 11:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 4, 2024 at 11:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 5, 2024 at 10:05 AM
CVSS

A CVSS base score of 2.3 has been assigned.

Nov 5, 2024 at 4:06 PM / nvd
CVSS

A CVSS base score of 10 has been assigned.

Nov 8, 2024 at 4:21 PM / nvd
Static CVE Timeline Graph

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-15: Command Delimiters
+null more

Vendor Advisory

[GHSA-3hxg-fxwm-8gf7] CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes
GitHub Advisory Database / 15d
If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This means that any headers added to a refit request are vulnerable to CRLF-injection.

News

NA - CVE-2024-51501 - Refit is an automatic type-safe REST library...
Security-Database Alerts Monitor : Last 100 Alerts / 15d
Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection....
CVE-2024-51501 | reactiveui refit up to 7.x HttpHeaders.TryAddWithoutValidation Header/HeaderCollection/Authorize crlf injection (GHSA-3hxg-fxwm-8gf7)
VulDB Recent Entries / 15d
A vulnerability classified as problematic has been found in reactiveui refit up to 7.x . This affects the function HttpHeaders.TryAddWithoutValidation . The manipulation of the argument Header/HeaderCollection/Authorize leads to crlf injection. This vulnerability is uniquely identified as CVE-2024-51501 . It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-51501 - Refit CRLF Injection Vulnerability
Latest Vulnerabilities / 15d
If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This means that any headers added to a refit request are vulnerable to CRLF-injection.
[GHSA-3hxg-fxwm-8gf7] CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes
GitHub Advisory Database / 15d
If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This means that any headers added to a refit request are vulnerable to CRLF-injection.
CVE-2024-51501
Vulners.com RSS Feed / 15d
If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This means that any headers added to a refit request are vulnerable to CRLF-injection.
See 4 more articles and social media posts

CVSS V3.1

Unknown

Categories

CWE-93(62)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial