CRLF
Web injection attack inserting line-break characters to manipulate HTTP responses.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for CRLF
cPanel zero-day ran 65 days before patch; Sorry ransomware active
Cybersecurity: Threats and DefencesWhat is CRLF injection?
What is the difference between CRLF injection and HTTP response splitting?
How dangerous is CRLF injection?
Background
CRLF injection is a class of web application security vulnerability in which an attacker inserts Carriage Return (CR, `\r`, ASCII 0x0D) and Line Feed (LF, `\n`, ASCII 0x0A) characters into user-controlled input that the application reflects into an HTTP header or log entry without sufficient sanitisation. HTTP uses CRLF sequences to delimit headers; by injecting them, an attacker can split a response into two separate HTTP responses (HTTP response splitting), inject arbitrary headers, set cookies, redirect users, or inject content into logs. CRLF injection is classified under OWASP's injection vulnerability family alongside SQL injection and header injection.
The vulnerability class has existed since the early 2000s and is well-documented. It typically arises when redirect targets, cache-control headers, or session-property values are constructed from unsanitised user input. Modern web frameworks and HTTP libraries generally encode or strip CRLF characters by default, but the vulnerability persists in applications built on lower-level or legacy HTTP handling code, or where custom header manipulation bypasses framework safeguards.
In U#3, CVE-2026-41940 in cPanel (the widely-deployed web hosting control panel) is a CRLF injection that allowed unauthenticated remote attackers to inject session properties via an unsanitised URL parameter in the cPanel login page . The vulnerability was exploited for 65 days before the patch was released on 28 April 2026. The Sorry ransomware group was observed exploiting it at scale.