CVE-2020-7695: HTTP response splitting in uvicorn

July 29, 2020 (updated November 18, 2024)

Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers.

References

github.com/advisories/GHSA-f97h-2pfx-f59f
github.com/encode/uvicorn
github.com/pypa/advisory-database/tree/main/vulns/uvicorn/PYSEC-2020-151.yaml
nvd.nist.gov/vuln/detail/CVE-2020-7695
snyk.io/vuln/SNYK-PYTHON-UVICORN-570471

Detect and mitigate CVE-2020-7695 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →