CVE-2026-42874: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in miguelgrinberg microdot
Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe. This vulnerability is fixed in 2.6.1.
AI Analysis
Technical Summary
Microdot versions before 2.6.1 have an improper neutralization of CRLF sequences in the Response.set_cookie() method, which fails to sanitize input strings and detect \r\n sequences. This can enable HTTP request/response splitting attacks if an attacker can first infiltrate a client to send malicious cookie data. The vulnerability is limited in scope to the compromised client and does not affect others. The vulnerability is tracked as CWE-113 and has a CVSS 3.1 base score of 3.7 (low severity). No official remediation level or patch link is provided in the source, but the issue is fixed in version 2.6.1.
Potential Impact
The vulnerability allows an attacker who has already compromised a client to perform HTTP header injection via crafted cookie values. This can lead to limited impact such as response splitting attacks for that specific client. There is no indication of broader impact or remote exploitation without prior client compromise. The CVSS score of 3.7 reflects low impact with limited exploitability.
Mitigation Recommendations
Upgrade microdot to version 2.6.1 or later, where the Response.set_cookie() method properly sanitizes input and prevents CRLF injection. Since the vulnerability requires prior client compromise, mitigating client-side vulnerabilities (e.g., XSS) also reduces risk. Patch status is not explicitly confirmed in the advisory, but the fix is included in version 2.6.1 as stated.
CVE-2026-42874: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in miguelgrinberg microdot
Description
Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe. This vulnerability is fixed in 2.6.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Microdot versions before 2.6.1 have an improper neutralization of CRLF sequences in the Response.set_cookie() method, which fails to sanitize input strings and detect \r\n sequences. This can enable HTTP request/response splitting attacks if an attacker can first infiltrate a client to send malicious cookie data. The vulnerability is limited in scope to the compromised client and does not affect others. The vulnerability is tracked as CWE-113 and has a CVSS 3.1 base score of 3.7 (low severity). No official remediation level or patch link is provided in the source, but the issue is fixed in version 2.6.1.
Potential Impact
The vulnerability allows an attacker who has already compromised a client to perform HTTP header injection via crafted cookie values. This can lead to limited impact such as response splitting attacks for that specific client. There is no indication of broader impact or remote exploitation without prior client compromise. The CVSS score of 3.7 reflects low impact with limited exploitability.
Mitigation Recommendations
Upgrade microdot to version 2.6.1 or later, where the Response.set_cookie() method properly sanitizes input and prevents CRLF injection. Since the vulnerability requires prior client compromise, mitigating client-side vulnerabilities (e.g., XSS) also reduces risk. Patch status is not explicitly confirmed in the advisory, but the fix is included in version 2.6.1 as stated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T18:49:06.711Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a022c38cbff5d86104f7cd9
Added to database: 5/11/2026, 7:21:28 PM
Last enriched: 5/11/2026, 7:38:11 PM
Last updated: 5/12/2026, 2:53:46 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.