Subyumatest

**Name of the Vulnerable Software and Affected Versions** BusyBox versions through 1.3.7 **Description** The software accepts raw CR (0x0D)/LF (0x0A) and other C0 control bytes within the HTTP request-target (path/query). This allows an attacker to split the request line and inject controlled headers. Specifically, the software fails to reject raw spaces (0x20) within the request-target, which should be encoded as '%20'. This impacts the HTTP/1.1 request-line structure, which requires a space between the request-target and the HTTP version. **Recommendations** Update BusyBox to a version later than 1.3.7.