CVE-2026-22779

Name of the Vulnerable Software and Affected Versions BlackSheep versions prior to 2.4.6

Description BlackSheep, an asynchronous web framework for building event-based web applications with Python, has an issue in its HTTP Client implementation. Missing validation of headers allows an attacker to modify HTTP requests, potentially inserting new headers or creating entirely new requests. Exploitation requires passing unsanitized user input directly into headers. The server component is not affected as BlackSheep relies on an underlying ASGI server for handling response headers. The attack vector involves applications using user input in HTTP client requests related to the method, URL, or headers.

Recommendations Upgrade to version 2.4.6. If handling headers from untrusted sources, reject values for header names and values that contain carriage returns.