php · getkirby/cmsHeads-up
Kirby CMS HTTP Header Injection in Http\Remote before 4.9.4 and 5.4.4
Kirby CMS versions before 4.9.4 and 5.4.4 allowed HTTP header injection via newline characters in header values passed to the `Kirby\Http\Remote` class, enablin
What changed
Kirby CMS versions before 4.9.4 and 5.4.4 allowed HTTP header injection via newline characters in header values passed to the `Kirby\Http\Remote` class, enabling attackers to inject or override headers in outgoing requests.
Who it affects
Sites and plugins that use `Kirby\Http\Remote` (e.g., `Remote::request()`, `Remote::get()`, `Remote::post()`) with untrusted, user-controlled data in the `headers` option.
What to do today
Update Kirby to version 4.9.4, 5.4.4, or later to strip carriage-return and line-feed characters from header values.
The trail
Collected→
Audited→
Written→
Published