CVE-2024-51501

Name of the Vulnerable Software and Affected Versions Refit versions prior to 7.2.22 Refit versions prior to 8.0.0

Description The Refit library for .NET Core, Xamarin, and .NET has a CRLF injection vulnerability in its header-related attributes. This vulnerability occurs because the HttpHeaders.TryAddWithoutValidation method does not check for CRLF characters in the header value, allowing an attacker to inject additional HTTP headers or smuggle whole HTTP requests. If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection, which can lead to request splitting and Server Side Request Forgery (SSRF).

Recommendations For Refit versions prior to 7.2.22, upgrade to version 7.2.22 or later. For Refit versions prior to 8.0.0, upgrade to version 8.0.0 or later. As a temporary workaround, consider avoiding the use of the HttpHeaders.TryAddWithoutValidation method and instead use a validated method to add headers to requests. Restrict access to user-controllable header values to minimize the risk of exploitation.