CVE-2023-26147

MEDIUM

ithewei/libhv - SSRF

Title source: llm

Description

All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.

References (2)

[Exploit, Third Party Advisory] https://gist.github.com/dellalibera/2be265b56b7b3b00de1a777b9dec0c7b

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-UNMANAGED-ITHEWEILIBHV-5730768

Scores

CVSS v3 5.3

EPSS 0.0012

EPSS Percentile 30.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-113 CWE-79

Status published

Products (1)

ithewei/libhv

Published Sep 29, 2023

Tracked Since Feb 18, 2026