CRLF Injection leads to Stack Trace Exposure due to lack of filtering at in microweber/microweber


Reported on

Feb 17th 2022


The Introduction of a New Line Character lets the attacker the stack trace at This Attack becomes more significant because of its Less complication.

The Stack trace discloses following information :

  1. Backend Response code.
  2. The Versions of Backend Laravel technology.
  3. The Routing Path

Proof of Concept

  1. Visit the following URL :
  2. Now Add the CRLF payload to the parameter. It will look like this :


This vulnerability is capable of disclosing sensitive stack trace exposed by the back-end which will let the attacker escalate his/her attack vector.

I Hope you understand this issue and Fix it as soon as possible. Thank you.


I Don't have a complete Idea where this issue is actually occurring in the code link provided. But i'm guessing it should be a potential path for that vulnerability to occur.

We are processing your report and will contact the microweber team within 24 hours. a year ago
Yash K
a year ago


Hello, I Found another Path which Discloses more information regarding Stack Trace : As you can see the name "users" in the load_module: is changed to "admin" which discloses more information about the particular user. Thank you.

Peter Ivanov validated this vulnerability a year ago
Yash K has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov marked this as fixed in 1.2.11 with commit f0e338 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Controller.php#L1-L21 has been validated
Peter Ivanov
a year ago


the other issue is also fixed in this commit

a year ago



to join this conversation