CVE-2021-31402 – CVE-2021-31402 is a CRLF injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-31402?

CVE-2021-31402 has a CVSS score of 7.5 (HIGH). CVE-2021-31402 is a CRLF injection vulnerability in the Dio HTTP client package for Dart. Attackers who can control the HTTP method string can inject malicious headers or split responses. This affects applications using Dio 4.0.0 for HTTP requests.

📋 TL;DR

CVE-2021-31402 is a CRLF injection vulnerability in the Dio HTTP client package for Dart. Attackers who can control the HTTP method string can inject malicious headers or split responses. This affects applications using Dio 4.0.0 for HTTP requests.

💻 Affected Systems

Products:

Dio HTTP client package for Dart

Versions: 4.0.0 only

Operating Systems: All platforms running Dart applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications where attackers can control the HTTP method string parameter.

📦 What is this software?

Dio by Flutterchina

View all CVEs affecting Dio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could perform HTTP response splitting to inject malicious content, hijack user sessions, or conduct cross-site scripting attacks against users.

🟠

Likely Case

HTTP header injection allowing manipulation of responses, potential cache poisoning, or limited client-side attacks.

🟢

If Mitigated

Minimal impact if input validation prevents attacker control of HTTP method strings.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires attacker control of HTTP method input. Proof-of-concept available in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.1

Vendor Advisory: https://github.com/flutterchina/dio/issues/1130

Restart Required: Yes

Instructions:

1. Update Dio package to version 4.0.1 or later. 2. Run 'dart pub upgrade dio'. 3. Restart your Dart/Flutter application.

🔧 Temporary Workarounds

Input validation for HTTP methods

all

Validate and sanitize all user input used as HTTP method strings before passing to Dio.

🧯 If You Can't Patch

Implement strict input validation to prevent attacker control of HTTP method strings.
Use application-level firewalls to monitor for CRLF injection patterns in HTTP requests.

🔍 How to Verify

Check if Vulnerable:

Check your pubspec.yaml or pubspec.lock file for 'dio: 4.0.0'.

Check Version:

grep dio pubspec.lock

Verify Fix Applied:

Verify Dio version is 4.0.1 or higher in pubspec.lock after update.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP method strings containing CRLF sequences (\r\n)
Malformed HTTP requests with injected headers

Network Indicators:

HTTP requests with CRLF sequences in method field
Responses with unexpected headers or content

SIEM Query:

http.method contains "\r\n" OR http.method contains "%0D%0A"

📊 Metadata

CVE ID: CVE-2021-31402

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-74

Published: April 15, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/flutterchina/dio/issues/1130 Exploit,Issue Tracking,Third Party Advisory
https://github.com/flutterchina/dio/issues/1130 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31402, you might also want to check these: