CVE-2026-22779 identifies a vulnerability classified under CWE-113, relating to improper neutralization of CRLF sequences within HTTP headers in the BlackSheep asynchronous web framework's HTTP Client implementation. BlackSheep is designed for building event-driven web applications in Python. Prior to version 2.4.6, the HTTP Client component fails to validate or sanitize header inputs properly, allowing attackers to inject carriage return and line feed characters (CRLF) into HTTP headers. This injection can manipulate the HTTP request structure, enabling HTTP request/response splitting attacks. Such attacks can lead to header injection, cache poisoning, cross-site scripting (XSS), or web cache deception attacks by inserting malicious headers or crafting new HTTP requests. The vulnerability requires that developers pass unsanitized user input directly into HTTP headers, meaning exploitation depends on insecure coding practices. The server-side response handling is unaffected because BlackSheep delegates response header processing to an underlying ASGI server, which properly handles header sanitization. The vulnerability has a CVSS 4.0 base score of 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, but partial impact on system integrity and confidentiality. The issue was publicly disclosed on January 14, 2026, and fixed in version 2.4.6 of BlackSheep. No known exploits have been reported in the wild to date.

For European organizations using BlackSheep versions prior to 2.4.6, this vulnerability poses a risk of HTTP request/response splitting attacks, which can undermine web application security. Potential impacts include unauthorized header injection, leading to session fixation, cache poisoning, cross-site scripting, or redirect attacks. These can compromise confidentiality and integrity of user data, degrade trust in web services, and facilitate further exploitation such as phishing or credential theft. Organizations relying on BlackSheep for internal or customer-facing applications may experience data leakage or manipulation. The vulnerability does not affect server response headers, limiting some attack vectors, but the client-side HTTP request manipulation can still be leveraged in complex attack chains. Given that exploitation requires unsafe coding practices (passing unsanitized input into headers), the risk is higher in custom or less mature applications. The medium severity score indicates a moderate but actionable threat. European entities in sectors like finance, healthcare, or government using BlackSheep-based applications should be particularly vigilant due to the sensitivity of their data and regulatory requirements such as GDPR.

European organizations should immediately upgrade all BlackSheep HTTP Client implementations to version 2.4.6 or later to remediate this vulnerability. Developers must audit their codebases to ensure no unsanitized user input is passed directly into HTTP headers. Implement strict input validation and sanitization routines for all header values, explicitly removing or encoding CRLF characters. Employ security code reviews and automated static analysis tools to detect unsafe header manipulations. Where possible, use higher-level abstractions or libraries that enforce header safety. Additionally, monitor web application logs for anomalous HTTP header patterns indicative of injection attempts. Incorporate web application firewalls (WAFs) configured to detect and block CRLF injection and HTTP request splitting attacks. Educate development teams on secure coding practices related to HTTP header handling. Finally, maintain an inventory of applications using BlackSheep to prioritize patching and risk assessment.