VYPR
← All advisories
High severityNVD Advisory· Published Oct 18, 2019· Updated Aug 5, 2024

CVE-2019-17513

CVE-2019-17513

Description

Ratpack before 1.7.5 fails to validate HTTP header values for control characters, enabling HTTP Response Splitting when untrusted data is used in headers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ratpack before 1.7.5 fails to validate HTTP header values for control characters, enabling HTTP Response Splitting when untrusted data is used in headers.

Root

Cause

Ratpack versions 0.9.1 through 1.7.4 misuse the Netty DefaultHttpHeaders class with header validation disabled, allowing CRLF (carriage return and line feed) characters in response header values [1][3]. This omission means that arbitrary HTTP control characters are not rejected, enabling HTTP Response Splitting attacks.

Exploitation

An attacker can exploit this vulnerability if the application uses untrusted user input (e.g., query parameters, form fields) as the value of an HTTP response header without sanitization [2]. No authentication is required if the vulnerable endpoint is publicly accessible. By injecting CRLF sequences, the attacker can terminate the current response and inject a completely new HTTP response, including arbitrary headers and body content [2][3].

Impact

Successful exploitation allows an attacker to perform cross-user defacement, cache poisoning, cross-site scripting (XSS), and page hijacking [2]. For example, injecting a Content-Type: text/html header followed by a `` tag can execute arbitrary JavaScript in the victim's browser [2].

Mitigation

The vulnerability is fixed in Ratpack version 1.7.5 [4]. Users are strongly advised to upgrade. As a workaround, applications should validate and sanitize any user-supplied data used as response header values, ensuring no CRLF sequences are present [2][4].

References
  1. NVD - CVE-2019-17513
  2. CVE-2019-17513 - GitHub Advisory Database
  3. CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
  4. Lean & powerful HTTP apps for the JVM

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.ratpack:ratpack-coreMaven
< 1.7.51.7.5

Affected products

2

Patches

3
02f8e6b9076e

Version 1.7.5

https://github.com/ratpack/ratpackLuke DaleyOct 9, 2019via osv
commit
1 file changed · +1 1
  • ratpack.gradle+1 1 modified
    @@ -39,7 +39,7 @@ buildscript {
 }
 
 allprojects {
-  version = "1.7.5-SNAPSHOT"
+  version = "1.7.5"
 }
 
 ext {
c560a8d10cb8

Add test for response header validation

https://github.com/ratpack/ratpackLuke DaleyOct 8, 2019via ghsa
commit
1 file changed · +42 0
  • ratpack-core/src/test/groovy/ratpack/http/ResponseHeaderValidationSpec.groovy+42 0 added
    @@ -0,0 +1,42 @@
+/*
+ * Copyright 2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ratpack.http
+
+import ratpack.test.internal.RatpackGroovyDslSpec
+
+class ResponseHeaderValidationSpec extends RatpackGroovyDslSpec {
+
+  def "invalid header values yield exception"() {
+    when:
+    handlers {
+      all {
+        try {
+          header("Test", "value\r\nAnotherHeader: another value")
+          render "ok"
+        } catch (e) {
+          render e.toString()
+        }
+      }
+    }
+
+    then:
+    def response = get()
+    response.headers.names == ['content-type', 'content-length'].toSet()
+    response.body.text == "java.lang.IllegalArgumentException: only ' ' and '\\t' are allowed after '\\n': value\r\nAnotherHeader: another value"
+  }
+
+}
efb910d38a96

Enable HTTP header validation

https://github.com/ratpack/ratpackLuke DaleyOct 8, 2019via ghsa
commit
1 file changed · +1 1
  • ratpack-core/src/main/java/ratpack/server/internal/NettyHandlerAdapter.java+1 1 modified
    @@ -156,7 +156,7 @@ private void newRequest(ChannelHandlerContext ctx, HttpRequest nettyRequest) thr
       channel.attr(CLIENT_CERT_KEY).get()
     );
 
-    HttpHeaders nettyHeaders = new DefaultHttpHeaders(false);
+    HttpHeaders nettyHeaders = new DefaultHttpHeaders();
     MutableHeaders responseHeaders = new NettyHeadersBackedMutableHeaders(nettyHeaders);
     AtomicBoolean transmitted = new AtomicBoolean(false);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.