cwe-93-crlf-injection
CWE-93 CRLF Injection
Description
CRLF Injection
Reference: https://cwe.mitre.org/data/definitions/93.html
OWASP Category: A03:2021 – Injection
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: User input directly in header
response.setHeader("X-Custom", userInput);
// VULNERABLE: CRLF in redirect
response.sendRedirect(userUrl);
Why it's vulnerable: This pattern is vulnerable to CRLF Injection
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Remove CR/LF characters
String safeValue = userInput.replaceAll("[\\r\\n]", "");
response.setHeader("X-Custom", safeValue);
// For URLs, use URL encoding
String safeUrl = URLEncoder.encode(userUrl, StandardCharsets.UTF_8);
Why it's secure: Implements proper protection against CRLF Injection
Detection Pattern
Look for these patterns in your codebase:
# Find setHeader with user input
grep -rn "setHeader.*getParameter\\|addHeader.*request" --include="*.java"
Remediation Steps
-
Strip CR (\r) and LF (\n) from all header values
-
URL-encode user input used in redirects
-
Use framework-provided methods that auto-sanitize
Key Imports
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
Verification
After remediation:
-
Run SAST scanner to confirm vulnerability is resolved
-
Review all instances of the vulnerable pattern
-
Add unit tests that verify the secure implementation
-
Check for similar patterns in related code
Trigger Examples
Fix CWE-93 vulnerability
Resolve CRLF Injection issue
Secure this Java code against crlf injection
SAST reports CWE-93
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07