{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/crlf-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-6351"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["crlf-injection","vulnerability","mailgates","mailaudit"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenfind MailGates and MailAudit are susceptible to a CRLF injection vulnerability identified as CVE-2026-6351. This flaw allows unauthenticated remote attackers to inject carriage return and line feed characters into HTTP headers. By manipulating these headers, attackers can potentially read system files due to the application\u0026rsquo;s failure to properly neutralize CRLF sequences. This can lead to information disclosure and potentially further compromise of the affected system. The vulnerability was reported on April 15, 2026, and has a CVSS v3.1 score of 7.5, indicating a high severity. This poses a significant risk to organizations using affected versions of MailGates/MailAudit.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a MailGates/MailAudit instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing CRLF sequences within a vulnerable parameter (e.g., URL or header value).\u003c/li\u003e\n\u003cli\u003eThe CRLF sequences are injected into an HTTP header, allowing the attacker to insert additional headers or manipulate existing ones.\u003c/li\u003e\n\u003cli\u003eBy injecting a \u003ccode\u003eContent-Type\u003c/code\u003e header followed by a blank line and arbitrary content, the attacker attempts to inject data into the HTTP response body.\u003c/li\u003e\n\u003cli\u003eThe server processes the crafted request without properly sanitizing the CRLF sequences.\u003c/li\u003e\n\u003cli\u003eThe injected content, which could include commands to read system files, is interpreted by the server.\u003c/li\u003e\n\u003cli\u003eThe server responds with the content of the requested system file within the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the sensitive information from the server\u0026rsquo;s response, achieving unauthorized access to system files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CRLF injection vulnerability (CVE-2026-6351) can lead to unauthorized access to sensitive system files on the affected MailGates/MailAudit server. This can result in the disclosure of confidential information, such as usernames, passwords, configuration details, and other sensitive data. The number of potential victims is dependent on the number of organizations using vulnerable versions of Openfind MailGates/MailAudit. The affected sectors are likely those that rely on these applications for email security and auditing. The consequences of a successful attack include data breaches, potential regulatory fines, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patches or updates provided by Openfind to address CVE-2026-6351 as soon as they become available.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on all user-supplied data to prevent CRLF injection attacks (reference CWE-93).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious CRLF Injection Attempts\u003c/code\u003e to identify potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns or unexpected characters in HTTP headers, specifically looking for CRLF sequences (\u003ccode\u003e\\r\\n\u003c/code\u003e) to detect potential exploitation attempts. Enable webserver logging to activate the rule above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T03:17:58Z","date_published":"2026-04-16T03:17:58Z","id":"/briefs/2026-04-mailgates-crlf/","summary":"Openfind MailGates/MailAudit is vulnerable to CRLF injection (CVE-2026-6351), enabling unauthenticated remote attackers to read system files by injecting malicious CRLF sequences.","title":"Openfind MailGates/MailAudit CRLF Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-mailgates-crlf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-http-middleware"],"_cs_severities":["medium"],"_cs_tags":["crlf-injection","http-response-splitting","denial-of-service","i18next"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003ei18next-http-middleware\u003c/code\u003e library, in versions prior to 3.9.3, exhibits a vulnerability stemming from insufficient sanitization of user-controlled language values. These values are written into the \u003ccode\u003eContent-Language\u003c/code\u003e HTTP response header. The \u003ccode\u003eutils.escape()\u003c/code\u003e function, employed for sanitization, performs HTML-entity encoding but fails to strip critical characters like carriage return and line feed. When the application uses an older \u003ccode\u003ei18next\u003c/code\u003e (\u0026lt; 19.5.0) or produces raw detected values, CRLF sequences within the \u003ccode\u003elng\u003c/code\u003e parameter reach \u003ccode\u003eres.setHeader('Content-Language', ...)\u003c/code\u003e without proper escaping. This flaw can result in HTTP response splitting (Node.js \u0026lt; 14.6.0) or a denial-of-service condition (Node.js \u0026gt;= 14.6.0), impacting all concurrent users of the affected process.  The same vulnerability is triggered multiple times per request. This issue is resolved in version 3.9.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an application using a vulnerable version of \u003ccode\u003ei18next-http-middleware\u003c/code\u003e. The request includes a \u003ccode\u003elng\u003c/code\u003e parameter with a payload containing CRLF sequences (e.g., \u003ccode\u003e%0d%0a\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ei18next-http-middleware\u003c/code\u003e receives the request and extracts the language value from the \u003ccode\u003elng\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe extracted language value is passed through \u003ccode\u003eutils.escape()\u003c/code\u003e, which performs HTML-entity encoding but does not remove CRLF sequences.\u003c/li\u003e\n\u003cli\u003eThe middleware attempts to set the \u003ccode\u003eContent-Language\u003c/code\u003e header using \u003ccode\u003eres.setHeader()\u003c/code\u003e, incorporating the unsanitized language value.\u003c/li\u003e\n\u003cli\u003eIf the Node.js version is less than 14.6.0, the \u003ccode\u003eres.setHeader()\u003c/code\u003e function processes the CRLF sequences, resulting in HTTP response splitting. This allows the attacker to inject arbitrary headers and control parts of the response body.\u003c/li\u003e\n\u003cli\u003eIf the Node.js version is 14.6.0 or greater, \u003ccode\u003eres.setHeader()\u003c/code\u003e throws an \u003ccode\u003eERR_INVALID_CHAR\u003c/code\u003e error because the value contains CRLF sequences.\u003c/li\u003e\n\u003cli\u003eThe middleware fails to catch this error, and the exception propagates, leading to an unhandled exception.\u003c/li\u003e\n\u003cli\u003eThe unhandled exception causes the Node.js process to terminate or become unresponsive, resulting in a denial-of-service condition for all concurrent users sharing that process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to inject arbitrary HTTP headers, leading to session fixation, cache poisoning, or reflected XSS attacks. In Node.js versions 14.6.0 and later, exploitation leads to a denial-of-service condition, potentially impacting all users of an application instance. This can result in significant disruption of service availability and potential data compromise. The number of affected applications is unknown, but any application using a vulnerable version of \u003ccode\u003ei18next-http-middleware\u003c/code\u003e is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ei18next-http-middleware\u003c/code\u003e to version 3.9.3 or later to address the vulnerability by patching the \u003ccode\u003eutils.sanitizeHeaderValue()\u003c/code\u003e function, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect i18next-http-middleware CRLF Injection Attempt\u003c/code\u003e to monitor for exploitation attempts by detecting suspicious URL-encoded characters in HTTP requests.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to reject requests containing \u003ccode\u003e\\r\u003c/code\u003e or \u003ccode\u003e\\n\u003c/code\u003e characters in query parameters, cookies, and path segments as a partial mitigation, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to ensure events related to potential exploits are captured for analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-i18next-http-middleware-crlf/","summary":"i18next-http-middleware versions before 3.9.3 are vulnerable to HTTP response splitting and denial-of-service attacks due to unsanitized Content-Language headers, potentially leading to session fixation, cache poisoning, reflected XSS, or complete service disruption depending on the Node.js version.","title":"i18next-http-middleware HTTP Response Splitting and DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-crlf/"}],"language":"en","title":"CraftedSignal Threat Feed — Crlf-Injection","version":"https://jsonfeed.org/version/1.1"}