CVE-2024-51501: 
C# vulnerability analysis and mitigation

Refit, an automatic type-safe REST library for .NET Core, Xamarin and .NET, contains a vulnerability in its header-related attributes (Header, HeaderCollection and Authorize) that are susceptible to CRLF injection. The vulnerability exists in all versions prior to 7.2.22 and 8.0.0, where HTTP headers are added to requests using the HttpHeaders.TryAddWithoutValidation method without proper CRLF character validation (GitHub Advisory).

The vulnerability stems from the way HTTP headers are added to requests using the HttpHeaders.TryAddWithoutValidation method, which does not validate CRLF characters in header values. When using HTTP/1.1, this CRLF injection vulnerability allows attackers to inject additional HTTP headers or smuggle entire HTTP requests. The issue has been assigned CVE-2024-51501 with a CVSS v4.0 score of 10.0 CRITICAL (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) (NVD).

If an application using the Refit library passes user-controllable values through to headers, it becomes vulnerable to CRLF injection. While this may not be a critical security issue for command-line applications, web applications using affected versions become vulnerable to request splitting and Server Side Request Forgery (SSRF). The vulnerability allows attackers to potentially inject additional headers or smuggle complete HTTP requests (GitHub Advisory).

Users are advised to upgrade to Refit version 7.2.22 or 8.0.0 or later, which contain fixes for this vulnerability. There are no known workarounds for this vulnerability other than upgrading to a patched version (NVD).