CVE-2023-0040

Name of the Vulnerable Software and Affected Versions Async HTTP Client versions prior to 1.13.2

Description The issue is related to insufficient validation of HTTP header field values before sending them to the network, allowing attackers to inject new HTTP header fields or entirely new requests into the data stream. This can cause requests to be understood differently by the remote server than intended, potentially resulting in logical errors and other misbehaviors. Users are vulnerable if they pass untrusted data into HTTP header field values without prior sanitization, such as placing usernames from a database into HTTP header fields.

Recommendations For versions prior to 1.13.2, update to version 1.13.2 or later to resolve the issue. As a temporary workaround, consider sanitizing all untrusted data before passing it into HTTP header field values to minimize the risk of exploitation. Restrict access to sensitive data and functions that may be affected by the injection of new HTTP header fields or requests. Avoid using untrusted data in HTTP header fields until the issue is resolved.