CVE-2016-1133

low

Published 2016-01-16 · Modified 2026-05-06

CVSS v3

3.7

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2

4.3

VIR risk

3.7

Description

CRLF injection vulnerability in the on_req function in lib/handler/redirect.c in H2O before 1.6.2 and 1.7.x before 1.7.0-beta3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI.

Predictions

Exploit likelihood

47%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-1133

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvndb.jvn.jp/jvndb/JVNDB-2016-000003

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN45928828/index.html

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`0`
debian	bullseye	fixed	`0`

Application impact

Vendor	Product	Versions	Fixed
dena	h2o	`{"endIncluding":"1.6.1"}`
dena	h2o	`1.7.0`

References

Verify integrity in audit chain (admin only). AS-IS.