The application includes user input in HTTP response headers without filtering carriage return and line feed characters, allowing attackers to inject arbitrary headers or split responses.
An attacker could inject malicious HTTP headers, perform HTTP response splitting, set arbitrary cookies, enable XSS through injected headers, or poison web caches.
Strip or encode CRLF characters from all user input used in HTTP headers. Use framework-provided methods for setting headers that automatically handle encoding. Validate header values server-side.