🔒 Security · 🟠 High · Confidence: 95%
File: packages/eve/src/public/channels/auth.ts
Location: escapeChallengeValue
What's wrong
The function escapeChallengeValue only escapes backslashes and double quotes: return value.replaceAll("\\", "\\\\").replaceAll('"', '\\"');. It does not escape CR (\r) or LF (\n) characters, which can be injected into the WWW-Authenticate header via a crafted challenge value, leading to HTTP response splitting attacks.
Suggested fix
Update the escaping function to also sanitize CR and LF characters (or reject them) before inserting into the header. For example:
function escapeChallengeValue(value: string): string {
return value
.replaceAll('\\', '\\\\')
.replaceAll('"', '\\"')
.replaceAll('\r', '')
.replaceAll('\n', '');
}
About this report
This finding was generated by an automated audit tool using Llama 3.3 70B + verification passes.
Only findings with ≥92% confidence that passed both LLM self-verification and line reference
verification are reported. False positives are still possible — please verify before acting.
🔒 Security · 🟠 High · Confidence: 95%
File:
packages/eve/src/public/channels/auth.tsLocation:
escapeChallengeValueWhat's wrong
The function
escapeChallengeValueonly escapes backslashes and double quotes:return value.replaceAll("\\", "\\\\").replaceAll('"', '\\"');. It does not escape CR (\r) or LF (\n) characters, which can be injected into theWWW-Authenticateheader via a crafted challenge value, leading to HTTP response splitting attacks.Suggested fix
Update the escaping function to also sanitize CR and LF characters (or reject them) before inserting into the header. For example:
About this report
This finding was generated by an automated audit tool using Llama 3.3 70B + verification passes.
Only findings with ≥92% confidence that passed both LLM self-verification and line reference
verification are reported. False positives are still possible — please verify before acting.