{"id":"CVE-2024-45302","summary":"CRLF Injection in RestSharp's `RestRequest.AddHeader` method","details":"RestSharp is a Simple REST and HTTP API Client for .NET. The second argument to `RestRequest.AddHeader` (the header value) is vulnerable to CRLF injection. The same applies to `RestRequest.AddOrUpdateHeader` and `RestClient.AddDefaultHeader`. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method which does not check for CRLF characters in the header value. This means that any headers from a `RestSharp.RequestHeaders` object are added to the request in such a way that they are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the RestSharp library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking this is a potential vulnerability in applications using RestSharp, not in RestSharp itself, but I would argue that at the very least there needs to be a warning about this behaviour in the RestSharp documentation. RestSharp has addressed this issue in version 112.0.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.","aliases":["GHSA-4rr6-2v9v-wcpc"],"modified":"2026-04-16T04:13:46.028250Z","published":"2024-08-29T21:18:43.261Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45302.json","cwe_ids":["CWE-93"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45302.json"},{"type":"ADVISORY","url":"https://github.com/restsharp/RestSharp/security/advisories/GHSA-4rr6-2v9v-wcpc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45302"},{"type":"FIX","url":"https://github.com/restsharp/RestSharp/commit/0fba5e727d241b1867bd71efc912594075c2934b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/restsharp/RestSharp","events":[{"introduced":"584fe59be8711c693a378fa7242d2d8e7b27ae52"},{"fixed":"0fba5e727d241b1867bd71efc912594075c2934b"}],"database_specific":{"versions":[{"introduced":"107.0.0"},{"fixed":"112.0.0"}]}},{"type":"GIT","repo":"https://github.com/restsharp/restsharp","events":[{"introduced":"0"},{"fixed":"0fba5e727d241b1867bd71efc912594075c2934b"}]}],"versions":["103.2","103.3","103.4","104.0","104.1","104.2","104.3.3","104.5.0","105.0","105.0.1","105.1.0","105.2.1","105.2.2","105.2.3","106.10.0","106.10.1","106.11.0","106.11.1","106.11.2","106.11.3","106.11.4","106.11.7","106.12","106.12.0","106.13.0","106.14.0","106.15.0","106.2","106.2.1","106.2.2","106.3","106.3.1","106.6.10","106.6.7","106.6.8","106.7","106.7.0","106.8.9","106.9.0","107.0.0","107.0.0-preview","107.0.1","107.0.2","107.0.3","107.1.0","107.1.1","107.1.2","107.2.0","107.2.1","108.0.0","108.0.1","108.0.2","108.0.3","109.0.0","109.0.1","110.0.0","110.1.0","110.2.0","111.0.0","111.1.0","111.2.0","111.3.0","111.4.0","111.4.1","legacy","v102.6","v102.7","v103.0","v103.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45302.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H"}]}