Carriage Return Line Feed (CRLF) Injection is a type of vulnerability that occurs when a user manages to insert a
CRLF into an application. The
CRLF characters represent an end of line for many internet protocols, including HTML, and are
%0D%0A which decoded represent
\r\n. These can be used to denote line breaks and when combined with HTTP Headers, can lead to different vulnerabilities, including HTTP Request Smuggling and HTTP Response Splitting. This can lead to further problems.
Can be very serious, it is hard to achieve though. Twitter, e.g., used to decode input but not encode output, meaning that this problem lead to a bounty of 3,500$ for the smart hacker guy. Response splitting also occurred on Shopify because of unsanitized parameters.