Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Weakness ID: 93
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Modify application data

+ Likelihood of Exploit

Medium to High

+ Demonstrative Examples

Example 1

If user input data that eventually makes it to a log message isn't checked for CRLF characters, it may be possible for an attacker to forge entries in a log file.

(Bad Code)
Example Language: Java"User's street address: " + request.getParameter("streetAddress"));
+ Observed Examples
CRLF injection enables spam proxy (add mail headers) using email address or name.
CRLF injection in API function arguments modify headers for outgoing requests.
Spoofed entries in web server log file via carriage returns
Chain: inject fake log entries with fake timestamps using CRLF injection
Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
Chain: HTTP response splitting via CRLF in parameter related to URL.
+ Potential Mitigations

Phase: Implementation

Avoid using CRLF as a special sequence.

Phase: Implementation

Appropriately filter or quote CRLF sequences in user-controlled input.

+ Weakness Ordinalities
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
ChildOfCategoryCategory713OWASP Top Ten 2007 Category A2 - Injection Flaws
Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOfCategoryCategory990SFP Secondary Cluster: Tainted Input to Command
Software Fault Pattern (SFP) Clusters (primary)888
CanPrecedeWeakness BaseWeakness Base117Improper Output Neutralization for Logs
Research Concepts1000
ParentOfWeakness BaseWeakness Base113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Research Concepts (primary)1000
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
CanAlsoBeWeakness VariantWeakness Variant144Improper Neutralization of Line Delimiters
Research Concepts1000
CanAlsoBeWeakness VariantWeakness Variant145Improper Neutralization of Section Delimiters
Research Concepts1000
+ Research Gaps

Probably under-studied, although gaining more prominence in 2005 as a result of interest in HTTP response splitting.

+ Causal Nature


+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
OWASP Top Ten 2007A2CWE More SpecificInjection Flaws
WASC24HTTP Request Splitting
Software Fault PatternsSFP24Tainted input to command
+ References
Ulf Harnhammar. "CRLF Injection". Bugtraq. 2002-05-07. <>.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated References
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Other_Notes
2009-12-28CWE Content TeamMITREInternal
updated Likelihood_of_Exploit
2010-02-16CWE Content TeamMITREInternal
updated Related_Attack_Patterns, Taxonomy_Mappings
2010-04-05CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2010-06-21CWE Content TeamMITREInternal
updated Description, Name
2011-03-29CWE Content TeamMITREInternal
updated Description
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2015-12-07CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11CRLF Injection
2009-05-27Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
2010-06-21Failure to Sanitize CRLF Sequences ('CRLF Injection')

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017