CRITICAL🇵🇱 Wersja polska

CVE-2024-51501

CVSS 10.0v4.0pub. 2024-11-04upd. 2026-04-15

Refit is an automatic type-safe REST library for .NET Core, Xamarin and .NET The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection. The way HTTP headers are added to a request is via the `HttpHeaders.TryAddWithoutValidation` method. This method does not check for CRLF characters in the header value. This means that any headers added to a refit request are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection. This is not necessarily a security issue for a command line application like the one above, but if such code were present in a web application then it becomes vulnerable to request splitting (as shown in the PoC) and thus Server Side Request Forgery. Strictly speaking this is a potential vulnerability in applications using Refit and not in Refit itself. This issue has been addressed in release versions 7.2.22 and 8.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

🤖 AI Analysis
How it works

Refit header attributes add values to HTTP requests using the `HttpHeaders.TryAddWithoutValidation` method, which does not verify the presence of CRLF characters (\r\n) in the passed values. If an application passes a user-controlled value to a header, an attacker can embed a CRLF sequence in it, allowing arbitrary headers to be added or HTTP requests to be split (request splitting). In HTTP/1.1 protocol, such an attack can result in smuggling entire HTTP requests to the target server or intermediate servers.

Impact

An attacker can inject arbitrary HTTP headers into outgoing requests, perform request splitting, and conduct Server Side Request Forgery (SSRF) attacks, gaining access to internal resources that are not directly accessible from outside.

Mitigation & patch

The Refit library should be updated to version 7.2.22 or 8.0.0, in which the issue has been fixed. The vendor indicates that there are no known workarounds for this vulnerability – updating is the only recommended action.

Who is affected

The Refit library for .NET Core, Xamarin and .NET – all versions preceding 7.2.22 and 8.0.0, where Header, HeaderCollection or Authorize attributes are used with values derived from user input.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References