The soup_message_headers_set_content_type() function sets the Content-Type header value. Internally, it calls soup_message_headers_append_common() to add the new Content-Type value to an accumulating array. Unlike soup_message_headers_append(), the internal soup_message_headers_append_common() function does not enforce any restrictions on the allowed characters in the header value, allowing the creation of a header whose value contains a CRLF sequence. Later, when the HTTP request or response is constructed, the header strings are interpreted without further sanitization, resulting in the effective injection of a CRLF sequence, and hence, arbitrary header-value pairs. A proof of concept script that showcases the issue can be found in the attachment. CRLF_inj_in_soup_message_headers_set_content_type.c Running this code confirms that the server on localhost:5000 receives a valid HTTP request containing the injected X-Injected-By header with the value injection. Impact An attacker controlling the value used to set the Content-Type header is able to perform a CRLF injection, potentially leading to header injection and response splitting. Recommended solution Instead of directly using the soup_message_headers_append_common() function, use the soup_message_headers_append() function in soup_message_headers_set_content_type().