AIKIDO-2026-602549

secure_headers is vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')CVE-2026-54163 Published Yesterday

Medium Risk

This Affects:

secure_headers

0.0.1 - 7.2.0

Fixed in 7.3.0

Are you affected? Scan for Free

TL;DR

secure_headers' build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive interpolate caller input into the CSP header without stripping ;/ / (unlike build_source_list_directive, which already does). Untrusted input reaching :sandbox, :plugin_types, or :report_to lets an attacker inject a ;-delimited script-src directive that — since both keys sort before :script_src in BODY_DIRECTIVES — wins under CSP's first-occurrence rule, overriding the real policy with 'unsafe-inline' * and enabling XSS.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

secure_headers is vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in versions 0.0.1 - 7.2.0.

How to fix this

Upgrade the secure_headers library to the patch version. Applications that configure sandbox, plugin_types, and report_to only through static, trusted configuration are not vulnerable and require only the version upgrade. Applications that allow user-controlled input to influence these directives through per-controller override APIs should also audit and restrict those code paths to prevent untrusted values from being used.