CVE-2020-26137: CRLF Injection

Published Feb 10, 2020
·
Updated

A flaw was found in python-urllib3. The HTTPConnection.request() does not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation of the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.

Other sources

A security issue was found in python-urllib3. HTTPConnection.request() does not properly validate CRLF sequences in the HTTP request method, potentially allowing to manipulate the request by injecting additional HTTP headers. Note that CVE-2020-26116 is strictly related to this bug, as the same flaw was reported in both urllib3 and built-in modules httplib/http.client.

References: https://bugs.python.org/issue39603

Upstream patch PR (merged upstream): https://github.com/urllib3/urllib3/pull/1800

Upstream commit: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

Red Hat

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

GitHub

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

urllib3 is vulnerable to CRLF injection. By inserting CR and LF control characters in the first argument of putrequest(), a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

IBM

Affected Software

18 affected componentsFixes available
redhat/python<0:2.7.5-92.el7_9
0:2.7.5-92.el7_9
redhat/python-urllib3<0:1.24.2-5.el8
0:1.24.2-5.el8
redhat/python-urllib3<0:1.26.2-1.el7
0:1.26.2-1.el7
redhat/rh-python38-python<0:3.8.6-1.el7
0:3.8.6-1.el7
redhat/rh-python38-python-psutil<0:5.6.4-5.el7
0:5.6.4-5.el7
redhat/rh-python38-python-urllib3<0:1.25.7-6.el7
0:1.25.7-6.el7
redhat/urllib3<1.25.9
1.25.9
pip/urllib3<1.25.9
1.25.9
Python urllib3<1.25.9
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=20.04
Debian Debian Linux=9.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment=22.2.0
Oracle ZFS Storage Appliance Kit=8.8
IBM QRadar SIEM<=7.5 - 7.5.0 UP9 IF03
IBM QRadar Incident Forensics<=7.5 - 7.5.0 UP9 IF03
debian/python-urllib3
1.26.5-1~exp11.26.5-1~exp1+deb11u31.26.12-1+deb12u11.26.12-1+deb12u32.3.0-32.3.0-3+deb13u12.6.3-1

Remediation

Patch Available

https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

Patch Available

https://github.com/urllib3/urllib3/pull/1800

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Event History

Feb 10, 2020
CVE Published
12:00 AM
Sep 29, 2020
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via Red Hat·06:21 PM
DescriptionSeverityAffected Software
Jun 18, 2021
Advisory Published
via GitHub·06:46 PM
Jan 11, 2024
Data Sourced
via Launchpad·11:47 PM
Description
Oct 17, 2024
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Feb 23, 2026
Data Sourced
via Ubuntu·09:43 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Debian·09:44 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2020-26137?

CVE-2020-26137 is a vulnerability in urllib3 library that allows CRLF injection if the attacker controls the HTTP request method.

2

What is the severity of CVE-2020-26137?

The severity of CVE-2020-26137 is high, with a CVSS score of 7.4.

3

How does CVE-2020-26137 impact confidentiality and integrity?

CVE-2020-26137 can potentially impact confidentiality and integrity of the affected system.

4

Which software versions are affected by CVE-2020-26137?

Versions up to and excluding urllib3 1.25.9 are affected by CVE-2020-26137.

5

What is the remedy for CVE-2020-26137?

The remedy for CVE-2020-26137 is to update urllib3 to version 1.25.9 or later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203