AIKIDO-2026-11009
neuron-core/neuron-ai is vulnerable to CRLF Injection
78
High Risk
This Affects:
neuron-core/neuron-aiTL;DR
The package fixed a CRLF header injection vulnerability in SseHttpTransport::buildHeaderString(), where header names and values were previously concatenated into the HTTP header block without filtering carriage return or line feed characters. If an attacker can control any portion of the headers passed into this method, they may inject forged headers or manipulate the request structure by inserting additional header lines. In practice, this could be exploited to smuggle unintended metadata, override security-relevant headers, or potentially alter downstream request handling, depending on how the transport is used and what intermediaries process the resulting request.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
neuron-core/neuron-ai is vulnerable to CRLF Injection in versions 2.4.0 - 3.14.6.
How to fix this
Upgrade the neuron-core/neuron-ai library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant