CRLF injection occurs when an application accepts user input and uses it to construct messages, headers, or records that rely on carriage return \r and line…
CRLF injection occurs when an application accepts user input and uses it to construct messages, headers, or records that rely on carriage return (\r) and line feed (\n) characters as delimiters, without first removing or encoding those characters. An attacker can inject their own CRLF sequences to break out of the intended structure and inject malicious content — such as fake email headers, HTTP response headers, or log entries — that the application then processes as legitimate.
02How It Happens
Many protocols and file formats use CRLF (\r\n) as a line separator: email headers, HTTP responses, CSV files, and log files all depend on this boundary to distinguish one record or header from the next. When an application constructs these structures by concatenating user input directly without sanitization, an attacker can embed CRLF characters in their input to create fake lines. The application then treats the injected content as part of the legitimate structure, allowing the attacker to forge headers, inject log entries, or manipulate the protocol flow.
03Real-World Impact
CRLF injection can lead to email spoofing (injecting fake To: or Subject: headers), HTTP response splitting (injecting fake response headers or even a second HTTP response), log file poisoning (inserting false entries to cover tracks or mislead administrators), and cache poisoning. In email contexts, an attacker might inject a Bcc: header to receive a copy of a password-reset email. In HTTP contexts, an attacker might inject a Set-Cookie: header to hijack sessions. The severity depends on what protocol or format is being manipulated and what trust is placed in the resulting output.
Why it's vulnerable: The user_email and subject parameters are inserted directly into the email headers without removing or encoding CRLF characters. An attacker can inject \r\n to create new header lines, such as a Bcc: header to intercept the email.
Why it's vulnerable: User input is concatenated directly into the log entry without sanitization. An attacker can inject newline characters to create fake log entries that appear to be legitimate records.
Sanitize all user input that will be used in headers, log entries, or protocol-dependent structures by removing or rejecting \r and \n characters.
Use framework-provided functions for constructing emails (e.g., Python's email.mime module, PHP's wp_mail()) that handle header construction safely.
Validate input format — if a field should contain only alphanumeric characters or a specific pattern, enforce that with allowlisting rather than blacklisting.
Encode output appropriately — when displaying user-controlled data in logs or reports, ensure it cannot be misinterpreted as a new record or header.
Review code that constructs protocols — any place where you manually build HTTP headers, email messages, CSV rows, or log entries is a potential CRLF injection point.
Test with CRLF payloads — include \r\n sequences in your security testing of input fields, especially those used in email, logging, or header contexts.
06Signs You May Already Be Affected
Check your email logs and application logs for suspicious entries: look for unexpected header lines (e.g., Bcc:, Cc:, or Reply-To: headers appearing in log records), entries that appear to be from different users or timestamps than expected, or gaps in log sequence that suggest injected records. If you find evidence of forged email headers or log entries with embedded newlines, investigate whether user input was sanitized at the time those entries were created.