The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.
The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0.
Cherry-pick the commit to your own fork can resolves the vulberability too.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-93" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-03-21T22:41:11Z" }