Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-45597

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-10 Sep, 2024 | 21:42
Updated At-11 Sep, 2024 | 13:28
Rejected At-
Credits

Pluto's http.request allows CR and LF in header values

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:10 Sep, 2024 | 21:42
Updated At:11 Sep, 2024 | 13:28
Rejected At:
▼CVE Numbering Authority (CNA)
Pluto's http.request allows CR and LF in header values

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

Affected Products
Vendor
PlutoLang
Product
Pluto
Versions
Affected
  • >= 0.9.0, <= 0.9.4
Problem Types
TypeCWE IDDescription
CWECWE-93CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Type: CWE
CWE ID: CWE-93
Description: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7
x_refsource_CONFIRM
https://github.com/PlutoLang/Pluto/pull/945
x_refsource_MISC
Hyperlink: https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/PlutoLang/Pluto/pull/945
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Vendor
pluto
Product
pluto
CPEs
  • cpe:2.3:a:pluto:pluto:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0.9.0 through 0.9.4 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:10 Sep, 2024 | 22:15
Updated At:05 Mar, 2025 | 14:53

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
pluto-lang
pluto-lang
>>pluto>>Versions from 0.9.0(inclusive) to 0.9.5(exclusive)
cpe:2.3:a:pluto-lang:pluto:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-93Secondarysecurity-advisories@github.com
CWE ID: CWE-93
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/PlutoLang/Pluto/pull/945security-advisories@github.com
Patch
https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7security-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/PlutoLang/Pluto/pull/945
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2025-8419
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 12.00%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 17:10
Updated-13 Aug, 2025 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Org.keycloak/keycloak-services: keycloak smtp inject vulnerability

A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks.

Action-Not Available
Vendor-Red Hat, Inc.
Product-keycloakRed Hat Build of Keycloak
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2023-49082
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.35%
||
7 Day CHG~0.00%
Published-29 Nov, 2023 | 20:07
Updated-02 Aug, 2024 | 21:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aiohttp's ClientSession is vulnerable to CRLF injection via method

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Action-Not Available
Vendor-aiohttpaio-libs
Product-aiohttpaiohttp
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE ID-CWE-20
Improper Input Validation
CVE-2023-26148
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 32.43%
||
7 Day CHG~0.00%
Published-29 Sep, 2023 | 05:00
Updated-23 Sep, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.

Action-Not Available
Vendor-ithewein/a
Product-libhvithewei/libhv
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVE-2022-35948
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 41.75%
||
7 Day CHG~0.00%
Published-13 Aug, 2022 | 00:00
Updated-22 Apr, 2025 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRLF Injection in Nodejs ‘undici’ via Content-Type

undici is an HTTP/1.1 client, written from scratch for Node.js.`=< undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header. Example: ``` import { request } from 'undici' const unsanitizedContentTypeInput = 'application/json\r\n\r\nGET /foo2 HTTP/1.1' await request('http://localhost:3000, { method: 'GET', headers: { 'content-type': unsanitizedContentTypeInput }, }) ``` The above snippet will perform two requests in a single `request` API call: 1) `http://localhost:3000/` 2) `http://localhost:3000/foo2` This issue was patched in Undici v5.8.1. Sanitize input when sending content-type headers using user input as a workaround.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-undiciundici
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2022-31150
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 52.15%
||
7 Day CHG~0.00%
Published-19 Jul, 2022 | 20:40
Updated-22 Apr, 2025 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CRLF injection in request headers

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate `\r\n` is a workaround for this issue.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)
Product-undiciundici
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2024-5193
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.27% / 49.99%
||
7 Day CHG~0.00%
Published-22 May, 2024 | 10:31
Updated-23 Jun, 2025 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ritlabs TinyWeb Server Request crlf injection

A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been classified as problematic. Affected is an unknown function of the component Request Handler. The manipulation with the input %0D%0A leads to crlf injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-265830 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-ritlabsRitlabsritlabs
Product-tinywebTinyWeb Servertinyweb
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Details not found