{"id":"CVE-2019-16771","details":"Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.","aliases":["GHSA-24r8-fm9r-cpj2"],"modified":"2026-04-11T12:42:20.169689Z","published":"2019-12-06T19:15:10.787Z","related":["GHSA-35fr-h7jr-hh86"],"references":[{"type":"ADVISORY","url":"https://github.com/line/armeria/security/advisories/GHSA-35fr-h7jr-hh86"},{"type":"FIX","url":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/line/armeria","events":[{"introduced":"27bf7e5d6a362adc0397155188ee9cbf0826aabb"},{"fixed":"d5ba7e73cd6d4df72e6ed55fe9153b6f7a7f19e9"},{"fixed":"b597f7a865a527a84ee3d6937075cfbb4470ed20"}],"database_specific":{"versions":[{"introduced":"0.85.0"},{"fixed":"0.97.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16771.json","vanir_signatures_modified":"2026-04-11T12:42:20Z","vanir_signatures":[{"target":{"file":"core/src/main/java/com/linecorp/armeria/internal/ArmeriaHttpUtil.java"},"id":"CVE-2019-16771-045c7b51","digest":{"line_hashes":["71032814813824314066008031752364401210","333178618283574363844511374749513829987","243763840448701055884157981526549111939","250532506951957012641441180404578180650"],"threshold":0.9},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Line","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeaderNames.java","function":"of"},"id":"CVE-2019-16771-204de460","digest":{"function_hash":"25066230618098409775242679898526580105","length":287},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"set"},"id":"CVE-2019-16771-2089fac1","digest":{"function_hash":"28248795869564567759454334140011249881","length":318},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"set"},"id":"CVE-2019-16771-24551795","digest":{"function_hash":"190984800037045529391333873698649645754","length":314},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/test/java/com/linecorp/armeria/common/HttpHeaderNamesTest.java"},"id":"CVE-2019-16771-2a98fc55","digest":{"line_hashes":["202157490814444666897488641550026172359","257952265962947123031611577911667588134","305005654439299455512043629957153041160","192861025066073508593808156485122385193","310167768787275495352207909813705914344","259252786634493341468203689301724860630","182361645858905849163140337438734835746","50653602963259447850097299473460269540","160472786656753999971696043393066389322","336722498796666459085827116351948167552","69691937654473014122920326889533271568","154875047187692661357494642955470104006"],"threshold":0.9},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Line","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"add0"},"id":"CVE-2019-16771-3da00aa7","digest":{"function_hash":"139410477951756246787223911494785653229","length":167},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"add"},"id":"CVE-2019-16771-413cd6a6","digest":{"function_hash":"258962077434305077171827585891727716555","length":233},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/test/java/com/linecorp/armeria/common/HttpHeadersBaseTest.java","function":"iterateEmptyHeadersShouldThrow"},"id":"CVE-2019-16771-4173bc3f","digest":{"function_hash":"246174464565039620230268735446509955634","length":155},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeaderNames.java","function":"of"},"id":"CVE-2019-16771-43e2d2af","digest":{"function_hash":"201283064458952902560513782725562438431","length":151},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/test/java/com/linecorp/armeria/common/HttpHeadersBaseTest.java","function":"nullHeaderNameNotAllowed"},"id":"CVE-2019-16771-4d619b1c","digest":{"function_hash":"176142767667571331343053248446580910790","length":65},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/test/java/com/linecorp/armeria/common/HttpHeadersBaseTest.java"},"id":"CVE-2019-16771-51d13782","digest":{"line_hashes":["303152550562056253560030172340070648953","224642713938154850413079648159435645219","316271888075396934108300873911378386553","238740815045689453209406875601270282817","109575233484954058091565465321971322510","10343071840114233495281346945271090421","310049301372828273670124435384785936018","121061020820517688027441139808083504859","178594823894463311079933961817101507467","14585421426991003406696655823448012619","123056863131143548376313182501871557996","235783522627871444455847878949154260443","149842190420999815261088314275799483610","296987528360884646790572612217943383421","47246865582556618427045854700462510209","131707310936336291054218641907981215431","250814525284877414691603726523914686161","47759754758402711353285398367603504629","237372767846435691793109943005203634716","266118482825293162936060543278766654649","17334159486284786395887542860667215902","284028495018517714241401166382459816553","82286248023370765763472483112038151420","24136479093237139102039959191710439203","257643747093465098188941006211883948728","177454932459781770212461689409302225123","50394625700979274084005508717095148806","57101345139131887395385344870881720069","247551265865062873225710858076856177795","157810856914660594181145350895471009351","232783177819337348643154761879943741251","54755129533387175104136732355880988097","21046187171199861273689351719244394034","82706316805813766369786852421065108251","22320662363034353004974557759151014941","24897633995837140313978603742401854794","213693745098810272110488346477107318816","194581699760613565008774423199894629339","203696010579025783489855343878395349287","65848587415306741610607801908975186057","143378445910790493267221269386817000089","199725809503052895582641289308722511271","30228336773107390643270885474193994964","331265501975463488226489559134442922383","866936861260113947905808011017771805","185861623051260423708139087182429090265","103301015983995665938958608964934480888","25075262412496430444573660041829978545","156662998302583598078638317689796074298","240850478277793947664259817234669789649","69650959123126294548648569898007473935","79482292857364024520869674576527132127","101672972284057730926080882728873801140","184097731964469200611942565463991197030","257373680535874047778416496351840271537","325573581886285245818056951516905448299","207884735806986111340358779849160426770","285805045983625442068568689761618225541","232760784421434728792264221389159916206","12875886068588621970221713364921699642","15176302018796001730817374975168898784","160985076298612849878555081399394863788","202809779431692928699460534306866263116","194926416134788383865425113160522677328","204654404638891225932918023275408113816","57329830371181951188429676103698294828","214699933109184671129226312696207641310","67463037145150335919435885934793812669","310670400602976705062337223787345326107","112833080813593493764996496360598888402","221786102603365612712739464773719703493","210555835187130268795394563239292878033","172976074285643816415790595064517559987","114327071593857973038497529272401001994","216743038270983411019205453456991925023","145611211829291462759344647748225326545","145667537197658510642574963927625940165","283562383586385605522514466756834631623","330676932358394632756077870532883885144","195128709716668821487691922667659558324","70232163032019972183853945082513383080","64779538809854661161728317771561735957","311368264301533674410409323756659840756","182508756275233117451995576194236525100","297924331857524921072120445342843624306","112815615659949769910415568186733365136","171845529424983099739870443731141421757","187571453355821103353176111694940609499","142914958681444275867588716407026363577","132670462495984598507390272066024436473","147357764386123910197428008656230760721","336973456231069538847599425792833260132","246061621740078159442835858170645928205","89094169683328808238382383016662992740","175487690828947928028977730338540444441","14146872800897339135632011826347517928","327598796993620984197825722886474070447","148816539167894639397078362556681792186","196958329129593531879556017123924483899","91570913508447580599451009547231763848","98584489346211768195415036708777880775","260911447688351347913395084151901899099","202507790595893768996500136389378712535","132031760710759886240625286074070737302","19989281768895302711361939266708165386","328184384697537160937061015562040149592","123874860812793661411269240344513855935","286384620971277621618802222584161836104","92815475593745141133709105574919788203","323474331552918420041241116878253187289","74788919051918797928419439827440689014","93396540368254284726359776445771654164","204182857212564354772095855944948114224","199219741464934851201781483736148550195","228931625469719741516873272064405154849","6130242999543562862893753230676822997","245986966422342932429403220518237619001","287324881308364146889761191155565624419","13294846005509544478907068023077466807","315027370090666672351127841217889073148","202694775761424791066742803569761051451","217923389265912924919089659383928226053","97868008206944003972553796267153315570","94971876947734059077675609035430652324","213703743178005647991692295220856489725","29137895682645187826220641444953528947","53817762993639464356946089115695165390","216352716504922738649388287648218566193","173417283280801757800202678008876429994","329161787184442369261722983906362459752","170160718180053301851737874629373103441","119543343091286954332592277022719662120","23002838693295992146058995778422976858","281231932893130341669148131656473188610","207027326246760503794810712555607806676","262278637266156012405917595663736773179","224868829939220975130749926185523718707","319981592231162931461826037307766528863","124924695873326612145154833112607009830","167817066753250840008721708176558515558","75897564507008104938835384465761126126","71672704613392832824096955487265515670","119508791576814438317132354258892073404","135210094082617858093264405433545475781","67134188660276565971109388954623053835","202744765423239679442452871290381822489","262281136986650639447301125146145240473","212158435574148492176834123518949799349","45589204441049385317492254303311293932","314466065560428826933715597937417454776","40498726050979644722879058864470648243","222260932949483858105750584471854834417","318378008373121481958107363304299463848","53922490028734296136089695085981744991","294639261794505530150711305862363111325","335487526065687075686977516120694899721","215979731703736125308429047420718665609","26382022471426968413897382576991247538","103199686452347651291098489058051198974","67392018567139164406627765095443466640","187185887492687009356909610090017725160","29062957278432415694011266587942048787","131058104937248004319314884981650670804","93927287898128381951323686756080931466","180463236830255742088858368457189440126","161096164089818571923614495235813877144","311937623876585660334149339301679649265","224121342768178638216848945789924150309","326236862199082250394082047501425493702","12712168113653912587604615738785001832","302262169878396579609122369651513383593","275842930127746224614655242210227734856","182091609281899222596146974102377540345","25218036522993174526778433955761864608","306121168987373821356227601251857668244","230094914430978610805767302469386453008","221953269145648823190830651061574381303","266281074105203685392081395920498201152","69463430343011480889398693420263112663","305194072166961268805764568241133581119","318947604686792758897562997831923360465","265747007043083655042443752703936623131","267408059155748726871421409972705865036","87472607154537710316615204521323258264","270363973077191374862561946458949096335","8457831307191685199890357437300624077","185808690825365009269292954743179448823","20050229445513389813415775492479629438","219333045818846016022209007412168883523","323535932294789115517132576349727793910","45204366441723484837693042206629196953","24578748612283295811590252262570344447","60646537647995773194493477148647806743","254048281729472509887612890096464210470","31669342727798008784321274805896819032","107685228440948804550016246422137639761","34180845253300504074701270503704214253","21077564685281248709881475656665159806","91801759147074009455285313176811188800","142746199799920253661638462999040469263","7584129200193183194287991231872592882","18302502521890152947869859551162591204","14201987558107389560471801370576307277"],"threshold":0.9},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Line","signature_version":"v1"},{"target":{"file":"core/src/test/java/com/linecorp/armeria/common/HttpHeadersBaseTest.java","function":"emptyHeaderNameNotAllowed"},"id":"CVE-2019-16771-58fae67d","digest":{"function_hash":"285413519460045872807096990351809465091","length":63},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"addObject"},"id":"CVE-2019-16771-620e4d02","digest":{"function_hash":"121936320904049899251669678489344859143","length":195},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java"},"id":"CVE-2019-16771-625116ad","digest":{"line_hashes":["186690141666650344788708917531074649603","309097400599179681127913881758299483878","282417480881398601361242393621590215073","172955990927350493774494958389250144447","216032141360623665877419980130439972045","317774198761750863819992348706099636287","12368798040456494312048893072008390908","127636816576024805758969593998225151051","322874494565171557620729131008865190711","322248894373224623325596021886189943513","241837898641093712916275841110539455129","210206674270924654453679909984854256408","278241704864061215896237623480930626206","110557653563667014069463265690887046339","42710180556887309157089664690434153734","93875242212046097992284995828958411750","152998584968969962254765924238374207547","242244412512256927927612730631741183860","248848147942193964273507111048058741063","74480895684510277570714994578134623240","204262937651308137368599682742369934152","81219073899483835336051762516337833471","302398802408293073887458449575195103430","278006265271367183837852858822658890973","204262937651308137368599682742369934152","316680096615673615368579856774958765118","305041804777566741907476477974910656237","305566470611257746862927824565188068601","171200194611648890855048909214679365145","1139272317535938228534498157322386789","297758030559772172335446116886129189313","270997652327362189249288343992093829144","171200194611648890855048909214679365145","189668403693735685479536394189690928949","150843483259442954618308798463787296592","140929511297012850813972793358482504717","152998584968969962254765924238374207547","203307517979926741914837751316077559106","227800531041494500280043378572769430165","338119540297107080207183993807044554452","204262937651308137368599682742369934152","44556707188789263080761993460677394503","119470435940076755965090178662233606594","174201815523339897708088577617655402072","204262937651308137368599682742369934152","137471154605068295488635481964492461332","76490780005917971838934975970915122844","209955304705989053553182213439532725673","204262937651308137368599682742369934152","214489583612550147093080683945525473069","74688573127892143996666135855930684770","85086759994570228457698401045306834395","204262937651308137368599682742369934152","92635098202233097287877960176264220927","131329658811414820311474881056905236436","142428451376492443657212733896299593434","262776810109984053546249883029741145742","139707785461648337736308482472728606567","319468587078010912399762038756174704079","81617536957175604333969433428617487448","21926293976143447079811499447568327933","152599925617018193877660714473756321495","186726898992700332163748907530887421249","223447962317139451408867049436085798564","14086954424118571405532240349883624830","286186202200389060422144687005833089138","216506547547182220786891194494259797813"],"threshold":0.9},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Line","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"add"},"id":"CVE-2019-16771-6a99b2d8","digest":{"function_hash":"199750250637055633120799135122622102876","length":283},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"set"},"id":"CVE-2019-16771-71bc4bb1","digest":{"function_hash":"286269103802972681671277319089579937152","length":264},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"addObject"},"id":"CVE-2019-16771-71c8bd7d","digest":{"function_hash":"112228503168810776145087025303976987902","length":199},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"normalizeName"},"id":"CVE-2019-16771-7da02009","digest":{"function_hash":"294259984383207775957971112475719970024","length":161},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/internal/ArmeriaHttpUtil.java","function":"toLowercaseMap"},"id":"CVE-2019-16771-902d948c","digest":{"function_hash":"43390501686866293111620458262610353069","length":764},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeaderNames.java"},"id":"CVE-2019-16771-923d7345","digest":{"line_hashes":["73077984898207928026861017579845981851","334949598351870087813912323251894742933","174110587830244732775677589695773041773","150071500915826952482475357798300439202","88885573680564280513612983756474576803","52988212469588039737493777067189347761","284351481967614604689247571167909571539","46613139840435128443344194465162820613","123066244639822355104019576010248494867","329065136644834091458329778818510231947","297106478672827939704718869774562161733","299906869357908871197081807837170057485","92626528753522587750843632254818329035","268744809994512930176094916574183134959","95645125662438029033298044800011805136","69713909677233886756876832647225938116","137389119640668364585529706357105149923","200976497727407241668480752077403574195","55486866628673301469261295067836139613","63770713546726697472099904559355717340","121997778307961214362727720790804794769","175135418368068484457838454023540681664","108593256055394034649615132209351557968","302166541357722364658393910679292515714"],"threshold":0.9},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Line","signature_version":"v1"},{"target":{"file":"core/src/test/java/com/linecorp/armeria/common/HttpHeadersBaseTest.java","function":"testAddSelf"},"id":"CVE-2019-16771-c6ccf2e5","digest":{"function_hash":"127084925642521667309192707225507790386","length":80},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/test/java/com/linecorp/armeria/common/HttpHeadersBaseTest.java","function":"testSetNullHeaderValue"},"id":"CVE-2019-16771-d25effbd","digest":{"function_hash":"311688873979448357892882150839086671996","length":100},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"setObject"},"id":"CVE-2019-16771-d5c4ac14","digest":{"function_hash":"291490945235534535883694304400161414885","length":331},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"setObject"},"id":"CVE-2019-16771-f5f6c3fe","digest":{"function_hash":"231431859922540491399997018422867702433","length":327},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"},{"target":{"file":"core/src/main/java/com/linecorp/armeria/common/HttpHeadersBase.java","function":"add"},"id":"CVE-2019-16771-f6fdacea","digest":{"function_hash":"145879193467669212021581106136182492708","length":287},"deprecated":false,"source":"https://github.com/line/armeria/commit/b597f7a865a527a84ee3d6937075cfbb4470ed20","signature_type":"Function","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}