CVE-2026-22779
BlackSheep's ClientSession is vulnerable to CRLF injection
描述
### Impact The HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers. The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. **Attack vector:** Applications using user input in HTTP client requests (method, URL, headers). ### Patches Users who use the HTTP Client in BlackSheep should upgrade to `2.4.6`. ### Workarounds If users handle headers from untrusted parties, they might reject values for header names and values that contain carriage returns. ### References https://owasp.org/www-community/vulnerabilities/CRLF_Injection
如何修補 CVE-2026-22779
要修補 CVE-2026-22779,請將受影響套件升級到下列已修補版本。
- —升級至 2.4.6 或更新版本
CVE-2026-22779 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 2.4.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |