CVE-2021-31402

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

### Impact The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669. ### Patches The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0. ### Workarounds Cherry-pick the commit to your own fork can resolves the vulberability too. ### References - https://nvd.nist.gov/vuln/detail/CVE-2021-31402 - https://osv.dev/GHSA-jwpw-q68h-r678 - https://github.com/cfug/dio/issues/1130 - https://github.com/cfug/dio/issues/1752

### Impact The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669. ### Patches The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0. ### Workarounds Cherry-pick the commit to your own fork can resolves the vulberability too. ### References - https://nvd.nist.gov/vuln/detail/CVE-2021-31402 - https://osv.dev/GHSA-jwpw-q68h-r678 - https://github.com/cfug/dio/issues/1130 - https://github.com/cfug/dio/issues/1752

El paquete dio versión 4.0.0 para Dart, permite una inyección CRLF si el atacante controla la cadena del método HTTP, una vulnerabilidad diferente de CVE-2020-35669