CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input in...

Description

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

4.57%

90.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-74

Affected Software

Vendor	Product	Versions
Ruby-Lang	Ruby	<= 2.3.0
Ruby-Lang	Ruby	>= 2.4.0, <= 2.4.7
Ruby-Lang	Ruby	>= 2.5.0, <= 2.5.6
Ruby-Lang	Ruby	>= 2.6.0, <= 2.6.4
Debian	Debian Linux	8.0

References

Timeline

Published: Nov 26, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-16254?

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

How severe is CVE-2019-16254?

CVE-2019-16254 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 4.57% probability of exploitation in the next 30 days.

How do I fix CVE-2019-16254?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.