# Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93) The product uses CRLF (carriage return line feed) as a special element, e.g. to separate headers or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. **Stack:** JavaScript - Prevalence: Mittel 3 Sprachen abgedeckt - Impact: Hoch 3 Regeln mit hohem Schweregrad - Prevention: Dokumentiert 3 Fix-Beispiele **OWASP:** Injection (A03:2021-Injection) - #3 ## Description CRLF injection can be used to inject malicious headers in HTTP responses (HTTP response splitting), forge log entries, or manipulate other protocols that use CRLF as a delimiter. ## Prevention Präventionsstrategien für CRLF Injection basierend auf 1 Shoulder-Erkennungsregeln. ### JavaScript Validate email addresses and strip CRLF characters from header values ## Warning Signs - [HIGH] email header injection vulnerabilities where user input flows into email headers (To, From, Subject, ## Consequences - Anwendungsdaten ändern - Nicht autorisierten Code ausführen - Aktivitäten verbergen ## Mitigations - Entferne oder encodiere CRLF-Sequenzen aus allen Eingaben, die in Headern oder Logs verwendet werden - Verwende Frameworks, die das Header-Encoding automatisch übernehmen - Stelle sicher, dass Eingaben keine unerwarteten Steuerzeichen enthalten ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Javascript (1 rules) - **Email Header Injection** [HIGH]: Detects email header injection vulnerabilities where user input flows into email headers (To, From, Subject, Cc, Bcc) without validation. Attackers can inject CRLF sequences (\r\n) to add arbitrary headers or body content. Attack impact: - Send spam/phishing emails via your server - Add hidden recipients (Cc/Bcc injection) - Modify email content - Bypass spam filters using your domain reputation Common vulnerable patterns: - nodemailer with user-controlled options - SendGrid/Mailgun APIs with - Remediation: Validate email addresses and remove CRLF from header values: ```javascript const validator = require('validator'); function sanitizeHeader(value) { return value.replace(/[\r\n]/g, ''); } if (!validator.isEmail(email)) { return res.status(400).json({ error: 'Invalid email' }); } const safeSubject = sanitizeHeader(subject).slice(0, 200); await transporter.sendMail({ to: 'admin@example.com', subject: `Contact: ${safeSubject}`, text: message }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-93/email-header-injection ### Typescript (1 rules) - **Email Header Injection** [HIGH]: Detects email header injection vulnerabilities where user input flows into email headers (To, From, Subject, Cc, Bcc) without validation. Attackers can inject CRLF sequences (\r\n) to add arbitrary headers or body content. Attack impact: - Send spam/phishing emails via your server - Add hidden recipients (Cc/Bcc injection) - Modify email content - Bypass spam filters using your domain reputation Common vulnerable patterns: - nodemailer with user-controlled options - SendGrid/Mailgun APIs with - Remediation: Validate email addresses and remove CRLF from header values: ```javascript const validator = require('validator'); function sanitizeHeader(value) { return value.replace(/[\r\n]/g, ''); } if (!validator.isEmail(email)) { return res.status(400).json({ error: 'Invalid email' }); } const safeSubject = sanitizeHeader(subject).slice(0, 200); await transporter.sendMail({ to: 'admin@example.com', subject: `Contact: ${safeSubject}`, text: message }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-93/email-header-injection