- What is CWE-93?
- The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
- What CVEs are caused by CWE-93?
- 127 recorded CVEs are attributed to CWE-93, including CVE-2025-61884, CVE-2026-33128, CVE-2024-51501. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Is CWE-93 part of the OWASP Top 10?
- CWE-93 maps to OWASP Top Ten 2007: Injection Flaws (A2) in the OWASP security taxonomy.
- How do you prevent CWE-93?
- Avoid using CRLF as a special sequence.
- How is CWE-93 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-93?
- Exploiting CWE-93 can lead to: Modify Application Data.
- Is CWE-93 actively exploited?
- Yes. 1 CWE-93 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 127 recorded CVEs.