The soup_message_new() function is used to create a new empty request, which will connect to the provided URI. The request line is constructed using the g_string_append_printf() function without escaping the method value:

g_string_append_printf (header, "%s %s HTTP/1.%d\r\n",
                      soup_message_get_method (msg), uri_string,
                      (soup_message_get_http_version (msg) == SOUP_HTTP_1_0) ? 0 : 1);


If the method parameter of soup_message_new() is user-controlled, a malicious user could inject arbitrary headers and further request data using CRLF sequences.
A simple example demonstrating the issue is given in the attachment. Running this code confirms that the server on localhost:5000 receives a valid HTTP request containing the injected X-Injected-By header with the value injection.
CRLF_inj_in_method.c

Impact
An attacker controlling the value used to set the method is able to perform a CRLF injection, potentially leading to header injection and HTTP request injection.

Recommended solution
Provided methods containing invalid characters should be refused or sanitized. Sanitize or refuse provided methods which contain invalid characters, including any form of whitespace.