CVE-2023-0508 LOW

CVE-2023-0508: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in GitLab

Vendor Gitlab
Product GitLab
Weakness CWE-113 · HTTP response splitting
Published June 7, 2023
Last update January 7, 2025
View on NVD All CVEs

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API.

Key dates

02Disclosure timeline

June 7, 2023 CVE published
January 7, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-40927 CGI::Simple versions 1.281 and earlier for Perl has a HTTP response splitting flaw CVE-2021-0268 Junos OS: J-Web has an Improper Neutralization of CRLF Sequences in its HTTP Headers which allows an attacker to carry out multiple types of attacks. CVE-2025-30221 Pitchfork HTTP Request/Response Splitting vulnerability CVE-2026-48596 CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection CVE-2026-40175 Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain