目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-93 对CRLF序列的转义处理不恰当(CRLF注入) 类漏洞列表 107

CWE-93 对CRLF序列的转义处理不恰当(CRLF注入) 类弱点 107 条 CVE 漏洞汇总,含 AI 中文分析。

CRLF注入是一种输入验证缺陷,指程序未正确过滤用户输入中的回车换行符。攻击者利用此漏洞注入恶意CRLF序列,篡改HTTP响应头或伪造日志,进而实施会话劫持、跨站脚本或缓存投毒。开发者应严格对用户输入进行白名单验证,确保仅包含合法字符,并在使用输入前自动转义或移除CRLF序列,以阻断注入路径。

MITRE CWE 官方描述
CWE:CWE-93 CRLF序列(CRLF Injection)的不当中和 英文:产品将CRLF(回车换行符)作为特殊元素使用,例如用于分隔行或记录,但未对输入中的CRLF序列进行中和,或中和不当。
常见影响 (1)
IntegrityModify Application Data
缓解措施 (2)
ImplementationAvoid using CRLF as a special sequence.
ImplementationAppropriately filter or quote CRLF sequences in user-controlled input.
代码示例 (2)
The following code segment reads the name of the author of a weblog entry, author, from an HTTP request and sets it in a cookie header of an HTTP response.
String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);
Bad · Java
HTTP/1.1 200 OK ... Set-Cookie: author=Jane Smith ...
Result
The following code is a workflow job written using YAML. The code attempts to download pull request artifacts, unzip from the artifact called pr.zip and extract the value of the file NR into a variable "pr_number" that will be used later in another job. It attempts to create a github workflow environment variable, writing to $GITHUB_ENV. The environment …
name: Deploy Preview jobs: deploy: runs-on: ubuntu-latest steps: - name: 'Download artifact' uses: actions/github-script with: script: | var artifacts = await github.actions.listWorkflowRunArtifacts({ owner: context.repo.owner, repo: context.repo.repo, run_id: ${{ github.event.workflow_run.id }}, }); var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => { return artifact.name == "pr" })[0]; var downloadPr = await github.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, artifact_id: matchPrArtifact.id, archive_format: 'zip', }); var fs = require('fs');
Bad · Other
\nNODE_OPTIONS="--experimental-modules --experiments-loader=data:text/javascript,console.log('injected code');//"
Attack
CVE ID标题CVSS风险等级Published
CVE-2025-67735 Netty 注入漏洞 — netty 6.5 Medium2025-12-16
CVE-2025-14531 Code-Projects Rental Management System 注入漏洞 — Rental Management System 4.3 Medium2025-12-11
CVE-2025-54972 Fortinet FortiMail 注入漏洞 — FortiMail 3.9 Medium2025-11-18
CVE-2025-59151 Pi-Hole Adminlte 注入漏洞 — web 8.2 High2025-10-27
CVE-2025-59419 Netty 注入漏洞 — netty 9.8 -2025-10-15
CVE-2025-57804 python-hyper h2 注入漏洞 — h2 7.5AIHighAI2025-08-25
CVE-2025-8715 PostgreSQL 安全漏洞 — PostgreSQL 8.8 High2025-08-14
CVE-2025-8419 Keycloak 注入漏洞 — keycloak 5.3 Medium2025-08-06
CVE-2025-41376 TESI Gandia Integra Total SQL注入漏洞 — LimeSurvey 8.8 -2025-08-01
CVE-2025-6175 DECE Software Geodi 注入漏洞 — Geodi 7.2 High2025-07-29
CVE-2025-0293 Ivanti Connect Secure和Ivanti Policy Secure 注入漏洞 — Connect Secure 6.6 Medium2025-07-08
CVE-2025-53094 ESPAsyncWebServer 注入漏洞 — ESPAsyncWebServer 5.8AIMediumAI2025-06-27
CVE-2025-52479 Julia URIs.jl 注入漏洞 — HTTP.jl 5.4AIMediumAI2025-06-25
CVE-2025-40671 AES Multimedia Gestnet 注入漏洞 — Gestnet 9.8AICriticalAI2025-05-26
CVE-2024-53693 QNAP Systems QTS和QNAP Systems QuTS hero 代码注入漏洞 — QTS 4.3 -2025-03-07
CVE-2024-50405 QNAP Systems QTS和QNAP Systems QuTS hero 代码注入漏洞 — QTS 2.7 -2025-03-07
CVE-2025-27111 Rack 安全漏洞 — rack 5.3 -2025-03-04
CVE-2025-25184 Rack 安全漏洞 — rack 4.3 -2025-02-12
CVE-2024-48868 QNAP Systems QTS和QuTS hero 安全漏洞 — QTS 5.3 -2024-12-06
CVE-2024-48867 QNAP Systems QTS和QuTS hero 安全漏洞 — QTS 5.3 -2024-12-06
CVE-2024-51501 Refit 注入漏洞 — refit 6.5AIMediumAI2024-11-04
CVE-2024-7472 Lunary 安全漏洞 — lunary-ai/lunary 5.3AIMediumAI2024-10-29
CVE-2024-45597 Pluto 注入漏洞 — Pluto 5.3 Medium2024-09-10
CVE-2024-45302 RestSharp 安全漏洞 — RestSharp 6.1 Medium2024-08-29
CVE-2024-5193 编号已被CVE保留 — TinyWeb Server 5.3 Medium2024-05-22
CVE-2024-1226 Rejetto Http File Server 注入漏洞 — Http File Server 7.5 High2024-03-12
CVE-2024-20337 Cisco Secure Client 安全漏洞 — Cisco Secure Client 8.2 High2024-03-06
CVE-2023-49082 aiohttp 注入漏洞 — aiohttp 5.3 Medium2023-11-29
CVE-2023-4768 ZOHO ManageEngine Desktop Central 注入漏洞 — Desktop Central 6.1 Medium2023-11-03
CVE-2023-4767 ZOHO ManageEngine Desktop Central 注入漏洞 — Desktop Central 6.1 Medium2023-11-03

CWE-93(对CRLF序列的转义处理不恰当(CRLF注入)) 是常见的弱点类别,本平台收录该类弱点关联的 107 条 CVE 漏洞。