CVE-2023-26137 – CVE-2023-26137 is an HTTP response splitting vu... (How to Fix)

Q: What is the severity of CVE-2023-26137?

CVE-2023-26137 has a CVSS score of 7.2 (HIGH). CVE-2023-26137 is an HTTP response splitting vulnerability in the Drogon C++ web framework. Attackers can inject malicious content into HTTP responses by adding carriage return line feed characters to header values. All applications using untrusted user input in Drogon's addHeader or addCookie functions are affected.

📋 TL;DR

CVE-2023-26137 is an HTTP response splitting vulnerability in the Drogon C++ web framework. Attackers can inject malicious content into HTTP responses by adding carriage return line feed characters to header values. All applications using untrusted user input in Drogon's addHeader or addCookie functions are affected.

💻 Affected Systems

Products:

drogonframework/drogon

Versions: All versions before patched version

Operating Systems: All operating systems running Drogon

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when untrusted user input is passed to addHeader or addCookie functions without proper validation.

📦 What is this software?

Drogon by Drogon

View all CVEs affecting Drogon →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious JavaScript, redirect users to phishing sites, steal session cookies, or perform cross-site scripting attacks against users.

🟠

Likely Case

Session hijacking, cross-site scripting attacks, or content injection leading to user compromise.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker to control input to vulnerable header functions. Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Drogon GitHub repository for latest patched version

Vendor Advisory: https://github.com/drogonframework/drogon/security/advisories

Restart Required: Yes

Instructions:

1. Update Drogon to the latest patched version. 2. Rebuild your application. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for all user-supplied data used in HTTP headers

Header Value Filtering

all

Filter out CRLF sequences (\r\n) from all user input before passing to addHeader or addCookie functions

🧯 If You Can't Patch

Implement strict input validation to reject any header values containing CRLF sequences
Use a web application firewall (WAF) to detect and block HTTP response splitting attempts

🔍 How to Verify

Check if Vulnerable:

Review code for use of addHeader or addCookie with untrusted user input without proper validation

Check Version:

Check Drogon version in your project configuration or build files

Verify Fix Applied:

Test that CRLF sequences in header values are properly sanitized or rejected

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP response headers
Multiple Set-Cookie headers
Malformed HTTP responses

Network Indicators:

HTTP responses containing unexpected JavaScript or redirects
Responses with multiple CRLF sequences in headers

SIEM Query:

http.response.headers contains "\r\n" OR http.response.headers contains "%0D%0A"

📊 Metadata

CVE ID: CVE-2023-26137

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-113

Published: July 6, 2023

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/dellalibera/666d67165830ded052a1ede2d2c0b02a Exploit
https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665554 Third Party Advisory
https://gist.github.com/dellalibera/666d67165830ded052a1ede2d2c0b02a Exploit
https://security.snyk.io/vuln/SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-5665554 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26137, you might also want to check these: