CVE-2019-16254 in Ruby
Summary
by MITRE
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/10/2026
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 contains a critical HTTP response splitting vulnerability that represents a significant security flaw in the web server component. This vulnerability specifically affects applications using WEBrick as their web server implementation and stems from an incomplete remediation of a previously identified issue. The flaw allows attackers to manipulate HTTP response headers by injecting newline characters, creating a condition where a single header can be split into multiple headers, enabling malicious content injection that can deceive end users and potentially lead to various attack vectors including cross-site scripting and cache poisoning. The vulnerability is classified under CWE-113 as "Improper Neutralization of CRLF Sequences in HTTP Headers" and represents a regression in security measures that were initially addressed in CVE-2017-17742.
The technical implementation of this vulnerability occurs when applications utilizing WEBrick process untrusted input directly into HTTP response headers without proper sanitization. Attackers can exploit this weakness by providing input containing carriage return (CR) or line feed (LF) characters that are not properly escaped or filtered. The vulnerability specifically targets scenarios where the application constructs HTTP headers using user-provided data without adequate validation, allowing an attacker to inject additional headers or manipulate existing ones. When the web server processes these malformed headers, it treats the injected content as separate headers, enabling the attacker to inject malicious HTTP headers that can redirect users, inject scripts, or manipulate browser behavior. This issue is particularly dangerous because it allows attackers to bypass security controls and potentially establish malicious sessions with web applications.
The operational impact of CVE-2019-16254 extends beyond simple header manipulation and creates multiple attack surfaces for malicious actors. When exploited successfully, this vulnerability can lead to session hijacking, cross-site scripting attacks, and cache poisoning scenarios where attackers can manipulate how web browsers cache content. The vulnerability enables attackers to inject malicious headers that can redirect users to phishing sites or inject malicious scripts that execute in the victim's browser context. Additionally, the issue can be leveraged to perform HTTP header injection attacks that may bypass security measures such as Content Security Policy headers, making it particularly dangerous for applications that rely on proper header validation for security. The vulnerability affects Ruby applications using WEBrick as their web server, which is commonly used in development environments and testing scenarios, making it a significant concern for organizations that deploy Ruby applications in production.
Organizations should immediately implement mitigations that include updating to patched versions of Ruby where available, implementing proper input sanitization for all HTTP headers, and applying web application firewalls that can detect and block malicious header injection attempts. The recommended approach involves ensuring that all user-provided input is properly escaped or filtered before being inserted into HTTP headers, with particular attention to CR and LF characters that can be used to split headers. Security teams should also implement monitoring and logging of HTTP header construction to detect potential exploitation attempts. The vulnerability demonstrates the importance of comprehensive security testing and proper validation of security patches, as the incomplete fix for CVE-2017-17742 left residual attack vectors that attackers could exploit. Organizations should also consider implementing runtime protections that can detect and prevent header injection attempts, as this vulnerability represents a fundamental flaw in how HTTP responses are processed and validated within the Ruby web server implementation.