FixVibe

// probes / spotlight

CRLF / Response Splitting

If user input lands in a response header, line breaks let the attacker write their own headers.

The hook

Response splitting is the network protocol equivalent of finding a typewriter and discovering the carriage-return key works. HTTP headers are delimited by `\r\n`. Any place user input gets concatenated into a header without filtering those bytes, the attacker can end one header line and start another. Modern frameworks strip CR/LF before they ever reach the wire, so most apps are immune by accident — but the bug still appears in custom header-handling code, in proxy layers that forward user-controlled values, and in language features that lag behind framework norms (raw FastCGI bridges, mod_perl, certain Lua patterns, anywhere someone wrote `header('Location: ' + req.query.next)` without the framework's redirect helper).

Чӣ тавр кор мекунад

CRLF injection appears when user-controlled text reaches response headers without proper normalization. Attackers may be able to split headers, poison caches, or alter downstream browser behavior.

The blast radius

Cookie injection (session fixation, role escalation if the app trusts cookies for authorization). Cache poisoning across CDN edges, where one attacker request taints responses for every later visitor. XSS via injected Content-Type or HTML body. CRLF in `Location:` headers can also enable open-redirect-style phishing through legitimate-looking flows.

// what fixvibe checks

What FixVibe checks

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Ironclad defenses

Strip or reject CR (`\r`, `%0d`) and LF (`\n`, `%0a`) in any user input that reaches a response header. Most modern frameworks do this automatically: Express's `res.redirect` rejects line breaks, Django's `HttpResponseRedirect` URL-encodes them, Rails sanitizes header values. The bugs cluster in custom code — proxy handlers, signed-URL generators, OAuth callback constructors, anywhere someone reaches into `res.setHeader` directly. Audit those code paths and pass user input through a strict header-value sanitizer. As a defense-in-depth measure, ensure your CDN normalizes or rejects ambiguous responses (most modern CDNs do this by default; older nginx-as-cache configurations may not). Use HTTP/2 between proxy and origin where possible — HTTP/2 frames eliminate the CR/LF parsing ambiguity entirely.

// run it on your own app

Keep shipping while FixVibe keeps watch.

FixVibe pressure-tests the public surface of your app the way an attacker would — no agent, no install, no card. We keep researching new vulnerability patterns and turn them into practical checks and paste-ready fixes for Cursor, Claude, and Copilot.

پروب‌های active
103
tests fired in this category
modules
27
dedicated پروب‌های active checks
every scan
384+
tests across all categories
  • Free — no credit card, no install, no Slack ping
  • Just paste a URL — we crawl, probe, and report
  • Severity-graded findings, deduped to signal only
  • Current, AI-ready fix prompts you can paste into Cursor, Claude, Copilot
Run a free scan

// latest checks · practical fixes · ship with confidence

CRLF / Response Splitting — Vulnerability Spotlight | FixVibe · FixVibe