BusyBox Wget: HTTP Header Injection & The Art of Request Splitting
Jan 22, 2026·7 min read·6 visits
Executive Summary (TL;DR)
BusyBox `wget` < 1.38.0 trusts URL inputs a little too much. It fails to sanitize control characters (CR/LF) and raw spaces. If you can trick an application into passing a malicious URL to `wget`, you can split the HTTP request, inject headers (like `Cookie` or `Authorization`), and potentially bypass authentication or poison intermediate caches. Patch now or sanitize your inputs.
A critical input validation failure in BusyBox's `wget` implementation allows for CRLF injection and HTTP Request Splitting, enabling attackers to inject arbitrary headers or poison caches via crafted URLs.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
BusyBox wget BusyBox | <= 1.37.0 | 1.38.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-113 |
| Attack Vector | Network |
| CVSS Score | 6.5 |
| Impact | Integrity & Confidentiality |
| Exploit Status | PoC Available |
| Protocol | HTTP/1.1 |
MITRE ATT&CK Mapping
The product does not neutralize or incorrectly neutralizes CR and LF characters in HTTP headers.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.