http.client: HTTP Header Injection in the HTTP method


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

It is possible to inject HTTP headers via the HTTP method which doesn’t reject newline characters.


  • Disclosure date: 2020-02-10 (Python issue bpo-39603 reported)

Fixed In

Python issue

[security][ CVE-2020-26116] http.client: HTTP Header Injection in the HTTP method.

  • Python issue: bpo-39603
  • Creation date: 2020-02-10
  • Reporter: Max


http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.


Timeline using the disclosure date 2020-02-10 as reference: