CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

CRLF Injection

security CWE-93 OWASP A3:2021 CVSS 6.1 PHP 5.0+ Intermediate

Also Known As

HTTP response splitting CRLF attack newline injection

TL;DR

Injecting carriage-return and line-feed characters into HTTP headers splits responses or injects new headers, enabling log poisoning and XSS.

Explanation

CRLF injection (\r\n) exploits insufficient sanitisation of newline characters in values that end up in HTTP response headers. An attacker who can inject \r\n can terminate the current header and begin a new one — or even split the response body to deliver a second HTTP response (HTTP Response Splitting). In PHP, header() strips newlines since PHP 7.4, but older codebases and custom header construction remain vulnerable. Always strip \r and \n from any user-supplied value before embedding it in a header.

Common Misconception

CRLF injection is just a minor header formatting issue. An attacker controlling a response header can inject a full second HTTP response, enabling XSS, cache poisoning, and session fixation.

Why It Matters

Injecting carriage return and line feed characters into HTTP responses lets attackers add arbitrary headers, split responses, or inject JavaScript — bypassing security controls that rely on headers.

Common Mistakes

  • Allowing newline characters in any value passed to PHP's header() function.
  • URL-decoding user input before passing to header() — %0d%0a is the encoded CRLF.
  • Reflecting redirect targets directly into Location headers without stripping control characters.
  • Not stripping \r and \n from user-supplied filenames in Content-Disposition headers.

Code Examples

✗ Vulnerable 
header('Location: ' . $_GET['url']); // \r\n in url splits response
✓ Fixed 
$url = str_replace(["\r", "\n"], '', $_GET['url']);
header('Location: ' . $url);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 120

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 10 pings S 2 pings S 2 pings M 0 pings T 3 pings W 0 pings T 3 pings F 2 pings S 2 pings S 4 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
ChatGPT 63 Perplexity 9 Amazonbot 7 Google 6 Unknown AI 2 Ahrefs 2 Qwen 1
Also referenced
Cross-Site Scripting (XSS) 28 Log Injection 16 Header Injection 14
How they use it
crawler 90
Related categories
security 4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Strip or reject \r and \n from any user input used in HTTP headers — in PHP 8.0+ header() throws on CRLF automatically, but validate explicitly for older code
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
header() with user-supplied value containing potential newlines; setcookie() with unsanitised name or value
Auto-detectable: ✓ Yes semgrep psalm
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-93 CWE-113
✓ schema.org compliant