CVE-2023-26137

HIGH

drogon - HTTP Response Splitting via addHeader and addCookie Functions

Title source: llm

Description

All versions of the package drogonframework/drogon are vulnerable to HTTP Response Splitting when untrusted user input is used to build header values in the addHeader and addCookie functions. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content.

References (2)

Core 2

Core References

Exploit

https://gist.github.com/dellalibera/666d67165830ded052a1ede2d2c0b02a

Third Party Advisory

https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665554

Scores

CVSS v3 7.2

EPSS 0.0038

EPSS Percentile 29.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-113 CWE-444

Status published

Products (1)

drogon/drogon

Published Jul 06, 2023

Tracked Since Feb 18, 2026