CVE-2024-51501 Overview
CVE-2024-51501 is a critical CRLF injection vulnerability affecting Refit, an automatic type-safe REST library for .NET Core, Xamarin, and .NET. The vulnerability exists in the handling of HTTP header values through the Header, HeaderCollection, and Authorize attributes, which fail to properly validate user-controllable input for CRLF (Carriage Return Line Feed) characters.
Critical Impact
Applications using Refit that pass user-controllable values to HTTP headers are vulnerable to CRLF injection, enabling HTTP header injection, request smuggling, and Server-Side Request Forgery (SSRF) attacks in web application contexts.
Affected Products
- Refit library versions prior to 7.2.22
- Refit library versions 8.x prior to 8.0.0
- Applications using vulnerable Refit versions that pass user input to header attributes
Discovery Timeline
- 2024-11-04 - CVE-2024-51501 published to NVD
- 2024-11-08 - Last updated in NVD database
Technical Details for CVE-2024-51501
Vulnerability Analysis
This vulnerability stems from improper input validation in the Refit library's HTTP header handling mechanism. When HTTP headers are added to a request, Refit utilizes the HttpHeaders.TryAddWithoutValidation method to append header values. This method does not perform validation checks for CRLF characters (\r\n) within header values.
In the HTTP/1.1 protocol, CRLF sequences serve as delimiters between headers and between the headers and body of an HTTP message. When an attacker can inject CRLF characters into a header value, they can effectively terminate the current header and inject additional headers or even complete HTTP requests.
The vulnerable code path can be traced to the RequestBuilderImplementation.cs file in the Refit repository. When web applications using Refit pass unsanitized user input through attributes like Header, HeaderCollection, or Authorize, the application becomes susceptible to request splitting attacks.
Root Cause
The root cause of this vulnerability is the use of HttpHeaders.TryAddWithoutValidation method for adding headers without first sanitizing or validating the header values for control characters. This design choice prioritizes flexibility over security, allowing malicious payloads containing CRLF sequences to pass through unchecked.
The CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers) classification accurately describes this flaw, where user-controllable data is inserted into HTTP headers without proper encoding or validation of line-termination characters.
Attack Vector
The attack is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability through the following mechanism:
When a web application accepts user input and passes it to a Refit header attribute, an attacker can craft malicious input containing CRLF sequences followed by additional HTTP headers or a complete HTTP request. This enables:
- HTTP Header Injection: Injecting arbitrary headers into the outgoing request
- HTTP Request Smuggling: Crafting a second HTTP request within the injected payload
- Server-Side Request Forgery (SSRF): Manipulating the application to make unintended requests to internal services
The vulnerability is particularly dangerous in web application contexts where user input flows to API clients built with Refit. For detailed technical analysis and proof-of-concept examples, refer to the GitHub Security Advisory GHSA-3hxg-fxwm-8gf7.
Detection Methods for CVE-2024-51501
Indicators of Compromise
- Unexpected HTTP requests originating from application servers to internal resources
- Log entries showing malformed or duplicated HTTP headers
- Evidence of SSRF attacks in web application logs
- Anomalous API call patterns with unusual header combinations
Detection Strategies
- Monitor outbound HTTP requests for headers containing encoded or decoded CRLF sequences (%0d%0a, \r\n)
- Implement web application firewall (WAF) rules to detect CRLF injection attempts in user input
- Analyze application logs for request splitting patterns or unexpected internal network requests
- Review .NET dependency manifests for vulnerable Refit library versions
Monitoring Recommendations
- Enable verbose logging on API gateways and reverse proxies to capture full request headers
- Implement network segmentation monitoring to detect SSRF attempts targeting internal services
- Deploy runtime application self-protection (RASP) solutions to identify injection attempts
- Monitor for unusual traffic patterns from application servers to internal endpoints
How to Mitigate CVE-2024-51501
Immediate Actions Required
- Upgrade Refit library to version 7.2.22 or 8.0.0 immediately
- Audit application code for instances where user input is passed to Refit header attributes
- Implement input validation to strip or reject CRLF characters from any data used in HTTP headers
- Review and restrict network egress from application servers to limit SSRF impact
Patch Information
The Refit maintainers have addressed this vulnerability in release versions 7.2.22 and 8.0.0. All users of the Refit library are strongly advised to upgrade to these patched versions. The security advisory and patch details are available in the GitHub Security Advisory.
Workarounds
- There are no known workarounds for this vulnerability according to the vendor advisory
- As a defense-in-depth measure, implement strict input validation that rejects CRLF characters before passing data to Refit
- Consider implementing a custom DelegatingHandler to sanitize all header values
- Apply network-level controls to limit the impact of potential SSRF exploitation
# Update Refit package to patched version using .NET CLI
dotnet add package Refit --version 7.2.22
# Or for version 8.x
dotnet add package Refit --version 8.0.0
# Verify installed version
dotnet list package | grep -i refit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
