Description
BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6.
Published: 2026-01-14
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CRLF injection in HTTP client enabling header manipulation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a lack of validation in BlackSheep’s HTTP Client, allowing malicious input to inject Carriage Return and Line Feed characters into request headers. This injection can alter the outgoing request or create a new HTTP request entirely by appending arbitrary headers. Because the server component delegates response handling to the underlying ASGI server, only the client side is affected. The flaw provides a route for altering request semantics without the protecting infrastructure, potentially leading to information disclosure or request forging if the crafted headers influence downstream services.

Affected Systems

Neoteroi’s BlackSheep asynchronous web framework, versions prior to 2.4.6, is impacted. Any Python application building its own HTTP client using these versions may propagate unsanitized header values into outgoing requests.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, while an EPSS of less than 1% reflects a very low intent or probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Exploitation requires developers to inject unsanitized user data into header fields. If an attacker can influence that input, they can modify request headers to influence the behavior of downstream services or insert harmful headers, but the likelihood of such injection in production environments is low and the impact is contained to the client-side request path.

Generated by OpenCVE AI on April 18, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BlackSheep to version 2.4.6 or later.
  • Validate or sanitize all user input before passing it to HTTP header fields.
  • Audit existing code to ensure no unsanitized user input is used in header construction, and restrict header modifications to trusted code paths.

Generated by OpenCVE AI on April 18, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6pw3-h7xf-x4gp BlackSheep's ClientSession is vulnerable to CRLF injection
History

Thu, 22 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:neoteroi:blacksheep:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Neoteroi
Neoteroi blacksheep
Vendors & Products Neoteroi
Neoteroi blacksheep

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6.
Title BlackSheep ClientSession is vulnerable to CRLF injection
Weaknesses CWE-113
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Neoteroi Blacksheep
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T21:01:52.743Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22779

cve-icon Vulnrichment

Updated: 2026-01-14T21:01:50.131Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T17:16:09.150

Modified: 2026-01-22T15:39:31.557

Link: CVE-2026-22779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses