HTTP Response Splitting

Also known as: CRLF injection in HTTP, HTTP header injection

An injection vulnerability where untrusted CR/LF characters in user input force the server to emit additional, attacker-controlled HTTP responses.

HTTP response splitting (CRLF injection) occurs when an application reflects user input into response headers — typically Location, Set-Cookie, or custom headers — without filtering carriage-return and line-feed bytes. By injecting %0d%0a, the attacker terminates the original header block and inserts headers, status lines, or even a whole second response. Consequences include cache poisoning, cross-site scripting, session fixation, and credential disclosure to intermediaries. The classic CWE-113 and CVE-2004-0500 disclosures highlighted the impact. Mitigations: reject or escape CR/LF in header values, use frameworks that disallow newline injection in header APIs, and prefer redirect helpers that URL-encode their inputs.

Examples

Setting a Location header from a user parameter that contains %0d%0a to inject Set-Cookie.
Splitting a response so the cache stores an attacker-controlled body for /home.

HTTP Response Splitting

Examples

Related terms

HTTP Request Smuggling

Cache Poisoning

Host Header Injection

Cross-Site Scripting (XSS)

Open Redirect

Definition

Examples

Related terms

HTTP Request Smuggling

Cache Poisoning

Host Header Injection

Cross-Site Scripting (XSS)

Open Redirect