{ "slug": "crlf_injection", "term": "CRLF Injection", "category": "security", "difficulty": "intermediate", "short": "Injecting carriage-return and line-feed characters into HTTP headers splits responses or injects new headers, enabling log poisoning and XSS.", "long": "CRLF injection (\\r\\n) exploits insufficient sanitisation of newline characters in values that end up in HTTP response headers. An attacker who can inject \\r\\n can terminate the current header and begin a new one — or even split the response body to deliver a second HTTP response (HTTP Response Splitting). In PHP, header() strips newlines since PHP 7.4, but older codebases and custom header construction remain vulnerable. Always strip \\r and \\n from any user-supplied value before embedding it in a header.", "aliases": [ "HTTP response splitting", "CRLF attack", "newline injection" ], "tags": [ "injection", "headers", "cwe-113" ], "misconception": "CRLF injection is just a minor header formatting issue. An attacker controlling a response header can inject a full second HTTP response, enabling XSS, cache poisoning, and session fixation.", "why_it_matters": "Injecting carriage return and line feed characters into HTTP responses lets attackers add arbitrary headers, split responses, or inject JavaScript — bypassing security controls that rely on headers.", "common_mistakes": [ "Allowing newline characters in any value passed to PHP's header() function.", "URL-decoding user input before passing to header() — %0d%0a is the encoded CRLF.", "Reflecting redirect targets directly into Location headers without stripping control characters.", "Not stripping \\r and \\n from user-supplied filenames in Content-Disposition headers." ], "when_to_use": [], "avoid_when": [], "related": [ "header_injection", "xss", "log_injection" ], "prerequisites": [ "header_injection", "input_validation", "http_response_splitting" ], "refs": [ "https://owasp.org/www-community/attacks/CRLF_Injection", "https://www.php.net/manual/en/function.header.php" ], "bad_code": "header('Location: ' . $_GET['url']); // \\r\\n in url splits response", "good_code": "$url = str_replace([\"\\r\", \"\\n\"], '', $_GET['url']);\nheader('Location: ' . $url);", "quick_fix": "Strip or reject \\r and \\n from any user input used in HTTP headers — in PHP 8.0+ header() throws on CRLF automatically, but validate explicitly for older code", "severity": "high", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/crlf_injection", "html_url": "https://codeclaritylab.com/glossary/crlf_injection", "json_url": "https://codeclaritylab.com/glossary/crlf_injection.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[CRLF Injection](https://codeclaritylab.com/glossary/crlf_injection) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/crlf_injection" } } } }