CVE-2020-7695
MEDIUMUvicorn < 0.11.7 - HTTP Response Splitting via CRLF Injection in HTTP Headers
Title source: llmDescription
Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/encode/uvicorn
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-PYTHON-UVICORN-570471
Scores
CVSS v3
5.3
EPSS
0.0131
EPSS Percentile
67.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-74
Status
published
Products (2)
encode/uvicorn
< 0.11.7
pypi/uvicorn
0 - 0.11.7PyPI
Published
Jul 27, 2020
Tracked Since
Feb 18, 2026