CVE-2023-26138

Name of the Vulnerable Software and Affected Versions drogonframework/drogon versions prior to the fixed version

Description The issue arises when untrusted user input is used to set request headers in the addHeader function, allowing an attacker to inject additional headers by adding r (carriage return line feeds) characters. This enables the injection of extra headers in the request sent.

Recommendations For drogonframework/drogon, as a temporary workaround, consider disabling the addHeader function until a patch is available. Restrict access to untrusted user input to minimize the risk of exploitation. Avoid using untrusted user input to set request headers until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.