# Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

The product uses CRLF (carriage return line feed) as a special element, e.g. to separate headers or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

**Stack:** JavaScript

- Prevalence: 中 覆盖 3 种语言
- Impact: 高 3 条严重级别为高的规则
- Prevention: 已记录 3 个修复示例

**OWASP:** Injection (A03:2021-Injection) - #3

## Description

CRLF injection can be used to inject malicious headers in HTTP responses (HTTP response splitting), forge log entries, or manipulate other protocols that use CRLF as a delimiter.

## Prevention

基于 1 条 Shoulder 检测规则的 CRLF Injection 预防策略。

### JavaScript

Validate email addresses and strip CRLF characters from header values

## Warning Signs

- [HIGH] email header injection vulnerabilities where user input flows into
email headers (To, From, Subject,

## Consequences

- 修改应用程序数据
- 执行未授权代码
- 隐藏活动

## Mitigations

- 对所有用于头部或日志的输入,剥离或编码 CRLF 序列
- 使用能自动处理头部编码的框架
- 验证输入中不包含意外的控制字符

## Detection

- Total rules: 3
- Languages: go, javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Email Header Injection** [HIGH]: Detects email header injection vulnerabilities where user input flows into
email headers (To, From, Subject, Cc, Bcc) without validation. Attackers can
inject CRLF sequences (\r\n) to add arbitrary headers or body content.

Attack impact:
- Send spam/phishing emails via your server
- Add hidden recipients (Cc/Bcc injection)
- Modify email content
- Bypass spam filters using your domain reputation

Common vulnerable patterns:
- nodemailer with user-controlled options
- SendGrid/Mailgun APIs with 
  - Remediation: Validate email addresses and remove CRLF from header values:

```javascript
const validator = require('validator');

function sanitizeHeader(value) {
  return value.replace(/[\r\n]/g, '');
}

if (!validator.isEmail(email)) {
  return res.status(400).json({ error: 'Invalid email' });
}

const safeSubject = sanitizeHeader(subject).slice(0, 200);
await transporter.sendMail({
  to: 'admin@example.com',
  subject: `Contact: ${safeSubject}`,
  text: message
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-93/email-header-injection

### Typescript (1 rules)

- **Email Header Injection** [HIGH]: Detects email header injection vulnerabilities where user input flows into
email headers (To, From, Subject, Cc, Bcc) without validation. Attackers can
inject CRLF sequences (\r\n) to add arbitrary headers or body content.

Attack impact:
- Send spam/phishing emails via your server
- Add hidden recipients (Cc/Bcc injection)
- Modify email content
- Bypass spam filters using your domain reputation

Common vulnerable patterns:
- nodemailer with user-controlled options
- SendGrid/Mailgun APIs with 
  - Remediation: Validate email addresses and remove CRLF from header values:

```javascript
const validator = require('validator');

function sanitizeHeader(value) {
  return value.replace(/[\r\n]/g, '');
}

if (!validator.isEmail(email)) {
  return res.status(400).json({ error: 'Invalid email' });
}

const safeSubject = sanitizeHeader(subject).slice(0, 200);
await transporter.sendMail({
  to: 'admin@example.com',
  subject: `Contact: ${safeSubject}`,
  text: message
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-93/email-header-injection