CRLF Injection Vulnerabilities Identified in Popular .NET Libraries RestSharp and Refit

Security researchers have uncovered critical CRLF (Carriage Return Line Feed) injection vulnerabilities in two widely used .NET libraries, RestSharp and Refit.

These flaws, which allow attackers to manipulate HTTP headers and potentially execute HTTP request splitting, have been assigned CVE-2024-45302 for RestSharp and CVE-2024-51501 for Refit.

Background on CRLF Injection

CRLF injection vulnerabilities arise when user-controllable input is improperly validated and incorporated into HTTP headers.

By injecting \r\n (CRLF characters) into a header, an attacker can insert malicious headers or even create additional HTTP requests.

This can lead to request splitting, cache poisoning, or other security threats.For example, a vulnerable HTTP request might look like this:

GET /about/ HTTP/1.1

Host: victim.com

Some-Header: user_input\r\nInjected-Header: malicious_value

If not validated, the payload user_input\r\nInjected-Header: malicious_value introduces a new header, allowing an attacker to manipulate the request’s structure.

Vulnerabilities in RestSharp and Refit

RestSharp (CVE-2024-45302)

RestSharp, a popular library for simplifying HTTP API interactions, was found to be susceptible to CRLF injection due to its unsafe handling of user-supplied header values.

The issue stemmed from its use of the .TryAddWithoutValidation method from the .NET System.Net.Http.Headers.HttpHeaders class, which bypasses header value validation.Affected APIs include:

• AddHeader(string name, string value)
• AddHeader<T>(string name, T value)
• AddOrUpdateHeader(string name, string value)
• AddDefaultHeader(string name, string value) (in the RestSharp.RestClient class)

A proof-of-concept demo showed how an attacker could exploit the AddHeader method to inject malicious headers or split requests.

When supplied with a CRLF payload, RestSharp allowed malformed HTTP requests, confirmed via server logs that showed multiple requests being executed.

Refit (CVE-2024-51501)

Refit, an automatic, type-safe REST client library for .NET, also relied on TryAddWithoutValidation, leading to similar vulnerabilities.

Attackers could exploit the following attributes to inject malicious input:

• [Header(string name)] for custom headers
• [Authorize(string type)] for authorization tokens
• [Headers(string header)] at the method level (though harder to exploit)

In a demonstration, researchers showcased how using [Header(“X-Custom-Name”)] or [Authorize(“Bearer”)] could allow CRLF payloads to bypass validation and create request splitting.

The vulnerabilities were uncovered during a detailed analysis of publicly available GitHub repositories and NuGet packages.

Security researcher from Binary Security, Christian initially noted that .NET’s HttpHeaders.TryAddWithoutValidation method lacked robust input validation, prompting Binary Security to investigate its real-world usage.

Popular due to their extensive adoption, the flaws in RestSharp and Refit have far-reaching implications for applications relying on these libraries for HTTP communication.

Developers using these libraries should be aware of the risks and update to patched versions as soon as they are available.

1. Update Libraries: Ensure you are using secure versions of RestSharp and Refit when patches are released.
2. Input Validation: Avoid using TryAddWithoutValidation directly; instead, validate all user input before adding it to headers.
3. Code Review: Audit your codebase for usage of vulnerable methods and attributes in RestSharp and Refit.
4. Monitoring: Monitor application logs and network traffic for unusual HTTP requests that could indicate exploitation attempts.

Binary Security’s findings not only highlight the importance of secure programming practices in open-source libraries but also underscore the need for developers to remain vigilant.

While no real-world exploitation of these flaws has been reported, the potential for abuse exists. Both RestSharp and Refit maintainers are expected to address these issues in upcoming updates.

As applications increasingly rely on third-party libraries, this discovery serves as a crucial reminder for developers to prioritize security in their dependencies.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request