CVE-2024-45302: 
C# vulnerability analysis and mitigation

RestSharp, a Simple REST and HTTP API Client for .NET, was found to contain a CRLF injection vulnerability (CVE-2024-45302) in its header handling functionality. The vulnerability affects versions from 107.0.0 up to (excluding) 112.0.0, where the second argument to RestRequest.AddHeader, RestRequest.AddOrUpdateHeader, and RestClient.AddDefaultHeader methods are susceptible to CRLF injection attacks (GitHub Advisory).

The vulnerability stems from the use of HttpHeaders.TryAddWithoutValidation method which does not perform validation checks for CRLF characters in header values. When HTTP headers are added to a request through RestSharp's RequestHeaders object, they become vulnerable to CRLF injection. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST and 6.1 (MEDIUM) by GitHub, with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H (NVD).

When exploited, this vulnerability allows attackers to inject additional HTTP headers or smuggle whole HTTP requests through CRLF injection. In web applications, this can lead to request splitting and Server Side Request Forgery (SSRF) attacks. While command-line applications might not be significantly impacted, web applications passing user-controllable values through headers become vulnerable to these attacks (GitHub Advisory).

The vulnerability has been addressed in RestSharp version 112.0.0. All users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (NVD).

Security researchers have highlighted the importance of this vulnerability, particularly for web applications using RestSharp. The discovery has led to increased awareness about CRLF injection vulnerabilities in .NET libraries (GBHackers).