7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-31402

GHSA ID

GHSA-9324-jv53-9cc8

EPSS Score

0.57017%

CWE

CWE-93

Published

3/21/2023

Updated

10/5/2023

KEV Status

Technology

Dart

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-31402

CVE-2021-31402: dio vulnerable to CRLF injection with HTTP method string

Impact

The dio package 4.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.

Patches

The vulnerability has been resolved by https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984, and included since v5.0.0.

Workarounds

Cherry-pick the commit to your own fork can resolves the vulberability too.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-31402
https://osv.dev/GHSA-jwpw-q68h-r678
https://github.com/cfug/dio/issues/1130
https://github.com/cfug/dio/issues/1752

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-31402

CVE-2021-31402:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-31402

GHSA ID

GHSA-9324-jv53-9cc8

EPSS Score

0.57017%

CWE

CWE-93

Published

3/21/2023

Updated

10/5/2023

KEV Status

Technology

Dart

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dio	pub	< 5.0.0	5.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing validation of the HTTP method string before constructing requests. The patch introduced the _isValidToken validation check in _transformData, which was absent in vulnerable versions. Since _transformData is the entry point for request processing and directly used the unvalidated options.method parameter, its lack of validation made it the vulnerable entry point for CRLF injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-31402: dio vulnerable to CRLF injection with HTTP method string

Impact

Patches

Workarounds

References

CVE-2021-31402:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2021-31402: dio vulnerable to CRLF injection with HTTP method string

Impact

Patches

Workarounds

References

Technical Details

Basic Information

Basic Information

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI