CVE-2020-7695

Name of the Vulnerable Software and Affected Versions Uvicorn versions prior to 0.11.7

Description The issue allows attackers to exploit HTTP response splitting by adding arbitrary headers to HTTP responses or returning an arbitrary response body when crafted input is used to construct HTTP headers. This is due to CRLF sequences not being escaped in the value of HTTP headers.

Recommendations For versions prior to 0.11.7, update to version 0.11.7 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing all input used to construct HTTP headers to prevent the inclusion of malicious CRLF sequences.