PYSEC-2026-1222

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/blacksheep/PYSEC-2026-1222.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1222
Aliases
Published
2026-07-07T16:03:18.908634Z
Modified
2026-07-07T17:47:32.644648259Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
BlackSheep's ClientSession is vulnerable to CRLF injection
Details

Impact

The HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers. The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers.

Attack vector: Applications using user input in HTTP client requests (method, URL, headers).

Patches

Users who use the HTTP Client in BlackSheep should upgrade to 2.4.6.

Workarounds

If users handle headers from untrusted parties, they might reject values for header names and values that contain carriage returns.

References

https://owasp.org/www-community/vulnerabilities/CRLF_Injection

References

Affected packages

PyPI / blacksheep

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.6

Affected versions

0.*
0.0.1
0.0.2
0.0.4
0.0.5
0.0.6
0.0.7
0.0.9
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.3.0
0.3.1
0.3.2
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.20
2.*
2.0a0
2.0a1
2.0a2
2.0a3
2.0a4
2.0a5
2.0a6
2.0a7
2.0a8
2.0a9
2.0a10
2.0a11
2.0a12
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.2.0
2.3.0
2.3.1a1
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4a0
2.4.4a2
2.4.4
2.4.5

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/blacksheep/PYSEC-2026-1222.yaml"