{"id":"CVE-2019-11921","details":"An out of bounds write is possible via a specially crafted packet in certain configurations of Proxygen due to improper handling of Base64 when parsing malformed binary content in Structured HTTP Headers. This issue affects versions of proxygen prior to v2019.07.22.00.","modified":"2026-04-11T08:55:48.309335Z","published":"2019-07-25T21:15:11.537Z","references":[{"type":"ADVISORY","url":"https://www.facebook.com/security/advisories/cve-2019-11921"},{"type":"FIX","url":"https://github.com/facebook/proxygen/commit/2f07985bef9fbae124cc63e5c0272e32da4fdaec"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/proxygen","events":[{"introduced":"0"},{"fixed":"90666f901154a43a4fe5fa0819d73405e4a6213b"},{"fixed":"2f07985bef9fbae124cc63e5c0272e32da4fdaec"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2019.07.22.00"}]}}],"versions":["v0.18.0","v0.19.0","v0.20.0","v0.21.0","v0.22.0","v0.23.0","v0.24.0","v0.25.0","v0.26.0","v0.27.0","v0.28.0","v0.29.0","v0.30.0","v0.32.0","v2017.01.16.00","v2017.01.23.00","v2017.01.30.00","v2017.03.06.00","v2017.03.13.00","v2017.03.20.00","v2017.03.27.00","v2017.04.03.00","v2017.04.10.00","v2017.04.17.00","v2017.04.24.00","v2017.05.01.00","v2017.05.08.00","v2017.05.15.00","v2017.05.22.00","v2017.05.29.00","v2017.06.05.00","v2017.06.12.00","v2017.06.19.00","v2017.06.26.00","v2017.07.03.00","v2017.07.10.00","v2017.07.17.00","v2017.07.24.00","v2017.07.31.00","v2017.08.07.00","v2017.08.14.00","v2017.08.21.00","v2017.08.28.00","v2017.09.04.00","v2017.09.11.00","v2017.09.18.00","v2017.09.25.00","v2017.10.02.00","v2017.10.09.00","v2017.10.16.00","v2017.10.23.00","v2017.10.30.00","v2017.11.06.00","v2017.11.13.00","v2017.11.20.00","v2017.11.27.00","v2017.12.04.00","v2017.12.11.00","v2017.12.18.00","v2017.12.25.00","v2018.01.01.00","v2018.01.08.00","v2018.01.15.00","v2018.01.22.00","v2018.01.29.00","v2018.02.05.00","v2018.02.12.00","v2018.02.19.00","v2018.02.26.00","v2018.03.05.00","v2018.03.12.00","v2018.03.19.00","v2018.03.26.00","v2018.04.02.00","v2018.04.09.00","v2018.04.16.00","v2018.04.23.00","v2018.04.30.00","v2018.05.07.00","v2018.05.14.00","v2018.05.21.00","v2018.05.28.00","v2018.06.04.00","v2018.06.11.00","v2018.06.18.00","v2018.06.25.00","v2018.07.02.00","v2018.07.09.00","v2018.07.16.00","v2018.07.23.00","v2018.07.30.00","v2018.08.06.00","v2018.08.13.00","v2018.08.20.00","v2018.08.27.00","v2018.09.03.00","v2018.09.10.00","v2018.09.17.00","v2018.09.24.00","v2018.10.01.00","v2018.10.08.00","v2018.10.15.00","v2018.10.22.00","v2018.10.29.00","v2018.11.05.00","v2018.11.12.00","v2018.11.19.00","v2018.11.26.00","v2018.12.03.00","v2018.12.10.00","v2018.12.17.00","v2018.12.24.00","v2018.12.31.00","v2019.01.07.00","v2019.01.14.00","v2019.01.21.00","v2019.01.28.00","v2019.02.04.00","v2019.02.11.00","v2019.02.18.00","v2019.02.25.00","v2019.03.04.00","v2019.03.18.00","v2019.03.25.00","v2019.04.01.00","v2019.04.08.00","v2019.04.15.00","v2019.04.22.00","v2019.04.29.00","v2019.05.06.00","v2019.05.13.00","v2019.05.20.00","v2019.05.27.00","v2019.06.03.00","v2019.06.10.00","v2019.06.17.00","v2019.06.24.00","v2019.07.01.00","v2019.07.08.00","v2019.07.15.00"],"database_specific":{"vanir_signatures_modified":"2026-04-11T08:55:48Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11921.json","vanir_signatures":[{"id":"CVE-2019-11921-5d23e92a","deprecated":false,"target":{"file":"proxygen/lib/http/structuredheaders/StructuredHeadersUtilities.cpp","function":"decodeBase64"},"signature_version":"v1","source":"https://github.com/facebook/proxygen/commit/2f07985bef9fbae124cc63e5c0272e32da4fdaec","signature_type":"Function","digest":{"function_hash":"221967885890182975999865318938959487611","length":465}},{"id":"CVE-2019-11921-f3e41ede","deprecated":false,"target":{"file":"proxygen/lib/http/structuredheaders/StructuredHeadersUtilities.cpp"},"signature_version":"v1","source":"https://github.com/facebook/proxygen/commit/2f07985bef9fbae124cc63e5c0272e32da4fdaec","signature_type":"Line","digest":{"line_hashes":["86050572914534944995195937657063741018","308273595821480222698283546336633882627","156320854293005699795322348801874116059","294484040183059814199395819810105589735","334613915855518884655673944945620993191","338486495194510485665283497076239196785","29391790894436818986801145991041067703","199512192811219858716549071522391132928","195087560292454159356507995112357709822","314526252531303007234646939932948795910","267594994089052160318174958687127726885","157439140101808687067625707719517261496","9979937554391717534463688089403940752","233987668163829568791849991974226724889","213597272945302206130121008601815523440","311443459835129153730826588916877768134","155337347056716580819012963056653957176","177557687272377734198733973319074299769","169616437456921522830208429170610501539","170225272034984714663661231865080258921","310447937336636616363742170461832269300","92496435250361418431587092996162034690","214090192430989282195911773314465017854","50160471650757313040098774479504538818","255786148587873302208153981009040411859","273459122502893650568384709174136106277"],"threshold":0.9}},{"id":"CVE-2019-11921-f78e0aa2","deprecated":false,"target":{"file":"proxygen/lib/http/structuredheaders/StructuredHeadersUtilities.cpp","function":"encodeBase64"},"signature_version":"v1","source":"https://github.com/facebook/proxygen/commit/2f07985bef9fbae124cc63e5c0272e32da4fdaec","signature_type":"Function","digest":{"function_hash":"39944086569243519752376786991423957758","length":356}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}