http.client: HTTP Header Injection in the HTTP method

It is possible to inject HTTP headers via the HTTP method which doesn’t reject newline characters.


  • Disclosure date: 2020-02-10 (Python issue bpo-39603 reported)

Fixed In

Python issue

[security][ CVE-2020-26116] http.client: HTTP Header Injection in the HTTP method.

  • Python issue: bpo-39603
  • Creation date: 2020-02-10
  • Reporter: Max


http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.


Timeline using the disclosure date 2020-02-10 as reference: