Bug 2445128 (CVE-2026-3633)
| Summary: | CVE-2026-3633 libsoup: libsoup: Header and HTTP request injection via CRLF injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the `soup_message_new()` function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, occurs because the method value is not properly escaped during request line construction, potentially leading to HTTP request injection.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2445148, 2445149, 2445150 | ||
| Bug Blocks: | |||
The soup_message_new() function is used to create a new empty request, which will connect to the provided URI. The request line is constructed using the g_string_append_printf() function without escaping the method value: g_string_append_printf (header, "%s %s HTTP/1.%d\r\n", soup_message_get_method (msg), uri_string, (soup_message_get_http_version (msg) == SOUP_HTTP_1_0) ? 0 : 1); If the method parameter of soup_message_new() is user-controlled, a malicious user could inject arbitrary headers and further request data using CRLF sequences. A simple example demonstrating the issue is given in the attachment. Running this code confirms that the server on localhost:5000 receives a valid HTTP request containing the injected X-Injected-By header with the value injection. CRLF_inj_in_method.c Impact An attacker controlling the value used to set the method is able to perform a CRLF injection, potentially leading to header injection and HTTP request injection. Recommended solution Provided methods containing invalid characters should be refused or sanitized. Sanitize or refuse provided methods which contain invalid characters, including any form of whitespace.