CVE-2023-26147

Name of the Vulnerable Software and Affected Versions ithewei/libhv versions all

Description The issue arises when untrusted user input is used to build header values, allowing an attacker to inject malicious content by adding carriage return line feeds (r ) to end the HTTP response headers. This can lead to a potential XSS vulnerability, enabling the attacker to inject additional headers or a new response body.

Recommendations For all versions, consider validating and sanitizing user input to prevent the injection of malicious characters, such as r , into HTTP response headers. As a temporary workaround, restrict the use of user-inputted data in building header values until a more comprehensive fix is available.