Improper Neutralization of CRLF Sequences (‘CRLF Injection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-93: Improper Neutralization of CRLF Sequences (‘CRLF Injection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User input from HTTP requests is being written directly to a file without proper validation or sanitization. This allows attackers to inject malicious data into files, potentially corrupting logs or other sensitive resources.
Impact#
An attacker could exploit this to manipulate log files, trigger unwanted log rotations, or fill up disk space, leading to denial-of-service or hiding malicious activities. This can disrupt application operations and compromise the integrity of file-based records.