Skip to content

http.request allows CR and LF in header values

Low
Sainan published GHSA-w8xp-pmx2-37w7 Sep 10, 2024

Package

Pluto

Affected versions

0.9.0-0.9.4

Patched versions

0.9.5

Description

Impact

Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

Patches

As of 0.9.5, an error is raised when these characters are given in a header value.

Workarounds

Stripping these characters e.g. via :replace("\r", ""):replace("\n", "") would be a possible workaround.

Severity

Low

CVE ID

CVE-2024-45597

Weaknesses

No CWEs