{"id":"CVE-2020-7611","details":"All versions of io.micronaut:micronaut-http-client before 1.2.11 and all versions from 1.3.0 before 1.3.2 are vulnerable to HTTP Request Header Injection due to not validating request headers passed to the client.","aliases":["GHSA-694p-xrhg-x3wm"],"modified":"2026-04-11T17:01:34.471465Z","published":"2020-03-30T22:15:15.603Z","related":["GHSA-694p-xrhg-x3wm","SNYK-JAVA-IOMICRONAUT-561342"],"references":[{"type":"FIX","url":"https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1"},{"type":"FIX","url":"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-694p-xrhg-x3wm"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-IOMICRONAUT-561342"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-core","events":[{"introduced":"0"},{"fixed":"4ad4a686320aa89a4ebfcc7b472c7deb823a3d11"},{"introduced":"c775f9e5a470f44ad3595d11ada7ec4ab32d0ee7"},{"fixed":"b8b52ebec272cb8ce39bae5d0ed053b5cc9fdfba"},{"fixed":"9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.11"},{"introduced":"1.3.0"},{"fixed":"1.3.2"}]}}],"versions":["v1.0.0","v1.0.0.M1","v1.0.0.M2","v1.0.0.M3","v1.0.0.M4","v1.0.0.RC2","v1.0.0.RC3","v1.1.0.M1","v1.1.0.M2","v1.1.0.RC1","v1.1.0.RC2","v1.2.0","v1.2.0.RC1","v1.2.0.RC2","v1.2.1","v1.2.10","v1.2.2","v1.2.3","v1.2.6","v1.2.7","v1.2.8","v1.2.9","v1.3.0","v1.3.0.M2","v1.3.0.RC1","v1.3.0.TEST","v1.3.1"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"279585357239160518281699105977565984920","length":119},"id":"CVE-2020-7611-1bdd4467","target":{"file":"http-netty/src/main/java/io/micronaut/http/netty/NettyHttpHeaders.java","function":"NettyHttpHeaders"},"source":"https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1","deprecated":false},{"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["3288462943823054163738607323452904498","253714978496155313953035315991965338851","61570352787045959113304840899923945643","108640851695436842458951814569846236982"],"threshold":0.9},"id":"CVE-2020-7611-c391728b","target":{"file":"http-netty/src/main/java/io/micronaut/http/netty/NettyHttpHeaders.java"},"source":"https://github.com/micronaut-projects/micronaut-core/commit/9d1eff5c8df1d6cda1fe00ef046729b2a6abe7f1","deprecated":false}],"vanir_signatures_modified":"2026-04-11T17:01:34Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7611.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}