CVE-2026-22779

Description

### Impact The HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers. The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. **Attack vector:** Applications using user input in HTTP client requests (method, URL, headers). ### Patches Users who use the HTTP Client in BlackSheep should upgrade to `2.4.6`. ### Workarounds If users handle headers from untrusted parties, they might reject values for header names and values that contain carriage returns. ### References https://owasp.org/www-community/vulnerabilities/CRLF_Injection

How to fix CVE-2026-22779

To remediate CVE-2026-22779, upgrade the affected package to a fixed version below.

• —upgrade to 2.4.6 or later

Is CVE-2026-22779 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.4.6

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-22779
• PATCHgithub.com/Neoteroi/BlackSheep
• WEBgithub.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12
• WEBgithub.com/Neoteroi/BlackSheep/releases/tag/v2.4.6