Summary The second argument to RestRequest.AddHeader (the header value) is vulnerable to CRLF injection. The same applies to RestRequest.AddOrUpdateHeader and RestClient.AddDefaultHeader. Details The way HTTP headers are added to a request is via the HttpHeaders.TryAddWithoutValidation method: https://github.com/restsharp/RestSharp/blob/777bf194ec2d14271e7807cc704e73ec18fcaf7e/src/RestSharp/Request/HttpRequestMessageExtensions.cs#L32 This method does not check for CRLF characters in the header value. This means that any headers from a RestSharp.RequestHeaders object are added to the request in such a way that they are vulnerable to CRLF-injection. In general, CRLF-injection into a HTTP header (when using HTTP/1.1) means that one can inject additional HTTP headers or smuggle whole HTTP requests. PoC The below example code creates a console app that takes one command line variable "api key" and then makes a request to some status page with the provided key inserted in the "Authorization" header: “`c# using RestSharp; class Program { static async Task Main(string[] args) { // Usage: dotnet run var key = args[0]; var options = new RestClientOptions("https://insert.some.site.here"); var client = new RestClient(options); var request = new RestRequest("/status", Method.Get).AddHeader("Authorization", key); var response = await client.ExecuteAsync(request); Console.WriteLine($"Status: {response.StatusCode}"); …Read More