CRLF
Web injection attack inserting line-break characters to manipulate HTTP responses.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for CRLF
cPanel zero-day ran 65 days before patch; Sorry ransomware active
Cybersecurity: Threats and Defences- What is CRLF injection?
- CRLF injection is an attack where an attacker inserts carriage return and line feed characters (\r\n) into HTTP headers, splitting the response and allowing them to inject arbitrary headers, set cookies, or redirect users.
- What is the difference between CRLF injection and HTTP response splitting?
- HTTP response splitting is the specific attack technique that exploits a CRLF injection vulnerability. CRLF injection refers to the vulnerability class (unsanitised input reflected into HTTP headers); HTTP response splitting describes what the attacker does with it — inserting a second HTTP response.
- How dangerous is CRLF injection?
- CRLF injection can enable session hijacking, cross-site scripting, cache poisoning, and phishing via open redirects. CVE-2026-41940 in cPanel allowed unauthenticated attackers to inject session properties, which the Sorry ransomware group exploited for 65 days before patching.
Background
CRLF injection is a class of web application security vulnerability in which an attacker inserts Carriage Return (CR, `\r`, ASCII 0x0D) and Line Feed (LF, `\n`, ASCII 0x0A) characters into user-controlled input that the application reflects into an HTTP header or log entry without sufficient sanitisation. HTTP uses CRLF sequences to delimit headers; by injecting them, an attacker can split a response into two separate HTTP responses (HTTP response splitting), inject arbitrary headers, set cookies, redirect users, or inject content into logs. CRLF injection is classified under OWASP's injection vulnerability family alongside SQL injection and header injection.
The vulnerability class has existed since the early 2000s and is well-documented. It typically arises when redirect targets, cache-control headers, or session-property values are constructed from unsanitised user input. Modern web frameworks and HTTP libraries generally encode or strip CRLF characters by default, but the vulnerability persists in applications built on lower-level or legacy HTTP handling code, or where custom header manipulation bypasses framework safeguards.
In U#3, CVE-2026-41940 in cPanel (the widely-deployed web hosting control panel) is a CRLF injection that allowed unauthenticated remote attackers to inject session properties via an unsanitised URL parameter in the cPanel login page . The vulnerability was exploited for 65 days before the patch was released on 28 April 2026. The Sorry ransomware group was observed exploiting it at scale.