Wojtekmach Req Multipart Header Injection Vulnerability via Unescaped Metadata

A CRLF injection vulnerability has been identified in the Wojtek Mach Req library, specifically in versions 0.5.3 prior to 0.6.0. This vulnerability allows for multipart parameter smuggling through attacker-controlled part metadata. The issue arises because the multipart form encoder directly interpolates the 'name', 'filename', and 'content_type' values into the headers without proper escaping or stripping of CRLF sequences. As a result, an attacker can inject additional headers, smuggle extra form fields, or prepend a new part into the outgoing request. This vulnerability is particularly exploitable when the 'value' parameter is a File.Stream, as POSIX filenames can contain CRLF characters. Applications that use Req to send multipart form data and allow user influence over these header values are at risk.

Impact

Exploitation of this vulnerability leads to HTTP request smuggling, allowing an attacker to manipulate the multipart body of the request by injecting headers or smuggling additional fields and parts. This could disrupt the intended functionality of the application or service processing the request.

Reproduction

To reproduce this vulnerability, first create a malicious filename that includes CRLF characters and an injected header, such as 'harmless.txt" X-Smuggled: marker Content-Disposition: form-data; name="pwned"'. Then, use the 'Req.Utils.encode_form_part/2' function to send a multipart form-data request with the crafted filename. The resulting request will include the smuggled header and form field, demonstrating the successful exploitation of the vulnerability.

Remediation

The vulnerability has been patched in Req version 0.6.0. Users should upgrade to this version. Additionally, when using Req to send multipart form data, sanitize any user-controlled values for 'name', 'filename', and 'content_type' to remove CRLF characters and quotes before including them in the request.