CVE-2006-5330 in Flash Player
Summary
by MITRE
CRLF injection vulnerability in Adobe Flash Player plugin 9.0.16 and earlier for Windows, 7.0.63 and earlier for Linux, 7.x before 7.0 r67 for Solaris, and before 9.0.28.0 for Mac OS X, allows remote attackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks via CRLF sequences in arguments to the ActionScript functions (1) XML.addRequestHeader and (2) XML.contentType. NOTE: the flexibility of the attack varies depending on the type of web browser being used.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/24/2026
The CVE-2006-5330 vulnerability represents a critical cross-site scripting and HTTP header manipulation flaw in Adobe Flash Player versions prior to specific patches across multiple operating systems. This vulnerability stems from insufficient input validation within the ActionScript functions XML.addRequestHeader and XML.contentType which accept user-supplied data containing carriage return line feed sequences without proper sanitization. The flaw enables remote attackers to inject malicious CRLF (Carriage Return Line Feed) sequences into HTTP headers, fundamentally compromising the integrity of client-server communications and creating opportunities for sophisticated attack vectors.
The technical implementation of this vulnerability occurs when Flash Player processes user-controllable input through the vulnerable ActionScript methods, allowing attackers to inject newline characters that manipulate HTTP header construction. When these injected sequences are processed by web servers or proxy intermediaries, they can cause HTTP request splitting where a single request is interpreted as multiple separate requests. This behavior creates multiple attack surfaces including cache poisoning, session hijacking, and cross-site request forgery exploitation. The vulnerability specifically affects Adobe Flash Player versions 9.0.16 and earlier for Windows, 7.0.63 and earlier for Linux, 7.x before 7.0 r67 for Solaris, and before 9.0.28.0 for Mac OS X, demonstrating the widespread impact across platforms and the complexity of addressing such a fundamental security flaw in multimedia processing software.
The operational impact of this vulnerability extends beyond simple header manipulation to encompass broader security implications for web applications utilizing Flash content. Attackers can leverage this weakness to bypass security controls, manipulate web application behavior, and potentially redirect user requests to malicious endpoints. The flexibility of exploitation varies significantly based on the target web browser and server configuration, with some environments being more susceptible to cache poisoning attacks where malicious content is cached and served to other users. This vulnerability directly maps to CWE-113, which describes improper neutralization of CRLF sequences in HTTP headers, and aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter: JavaScript, as the attack vector involves manipulating script execution contexts through header injection. The vulnerability also relates to ATT&CK technique T1566 for Phishing and T1595 for Active Scanning, as attackers can craft malicious Flash content to deliver phishing payloads or scan for additional vulnerabilities.
Organizations should immediately implement patch management protocols to upgrade all affected Adobe Flash Player installations to versions that properly sanitize input before processing HTTP headers. Network monitoring solutions should be enhanced to detect anomalous HTTP header patterns that might indicate CRLF injection attempts, while web application firewalls can be configured to block suspicious request sequences containing CRLF characters. Additionally, administrators should consider disabling Flash content in web browsers where possible and implement proper input validation at multiple layers of the application architecture to prevent similar vulnerabilities in other components. The vulnerability serves as a critical reminder of the importance of input sanitization in web applications and the need for comprehensive security testing that includes dynamic analysis of multimedia content processing libraries.