CVE-2020-6858
Description
CRLF injection in Hotels Styx HTTP header handling allows HTTP response splitting via untrusted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CRLF injection in Hotels Styx HTTP header handling allows HTTP response splitting via untrusted input.
Vulnerability
CVE-2020-6858 is an HTTP response splitting vulnerability in Hotels Styx through version 1.0.0.beta8. The root cause is the disabling of Netty's built-in HTTP header validation in two components: com.hotels.styx.api.HttpHeaders.Builder and StyxToNettyResponseTranslator [1]. By constructing DefaultHttpHeaders or DefaultHttpResponse with the validate parameter set to false, the application fails to sanitize CRLF sequences in header values [1].
Exploitation
An attacker can exploit this by injecting CRLF sequences (such as %0d%0a) into user-controlled input that ends up in an HTTP response header. For example, a query parameter value like header-value can be passed directly to response.newBuilder().header("myResponseHeader", header) without validation [1]. The attack requires no authentication, as any endpoint that reflects user input into headers is vulnerable.
Impact
Successful exploitation allows an attacker to perform HTTP response splitting, enabling cache poisoning, cross-site scripting (XSS), or web cache deception [2]. The attacker can inject arbitrary headers or body content into the HTTP response, potentially compromising users or downstream systems.
Mitigation
The vulnerability was addressed in Styx version 1.0.0.beta9 by enabling header validation (using true for the validate parameter) [1]. Users should upgrade to this or a later version. No workarounds are mentioned; disabling the vulnerable components is not recommended.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.hotels.styx:styx-apiMaven | < 1.0.0-rc1 | 1.0.0-rc1 |
Affected products
2- Hotels/Styxdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Netty's built-in CRLF header validation is explicitly disabled via `new DefaultHttpHeaders(false)` and `new DefaultHttpResponse(version, httpResponseStatus, false)`, allowing CRLF injection into HTTP headers."
Attack vector
An attacker supplies untrusted user input that appears in a response header, for example via a query parameter such as `header-value` [ref_id=1]. Because the `HttpHeaders.Builder` and `StyxToNettyResponseTranslator` disable Netty's CRLF validation, the attacker can inject CRLF sequences (e.g., `\r\n`) into the header value [CWE-74]. This allows the attacker to split the HTTP response, injecting arbitrary headers or body content into the downstream response stream.
Affected code
The vulnerable component is `com.hotels.styx.api.HttpHeaders.Builder`, which calls `new DefaultHttpHeaders(false)` to disable Netty's built-in HTTP header validation [ref_id=1]. Additionally, `StyxToNettyResponseTranslator` also disables validation via `new DefaultHttpResponse(version, httpResponseStatus, false)` [ref_id=1]. Both locations are in the Styx codebase up to version 1.0.0.beta8.
What the fix does
The advisory recommends replacing `new DefaultHttpHeaders(false)` with either the default constructor or `new DefaultHttpHeaders(true)` in `HttpHeaders.java`, and replacing `new DefaultHttpResponse(version, httpResponseStatus, false)` with `new DefaultHttpResponse(version, httpResponseStatus, true)` in `StyxToNettyResponseTranslator.java` [ref_id=1]. These changes re-enable Netty's built-in CRLF validation, which will reject header values containing CRLF sequences and thus prevent HTTP response splitting. No patch commit is provided in the advisory beyond these code-change instructions.
Preconditions
- inputThe application must accept untrusted user input that is placed into an HTTP response header.
- authNo authentication is required; the attacker can send a crafted request with a malicious query parameter.
Reproduction
The advisory includes a proof-of-concept test plugin and test method [ref_id=1]. The `VulnerablePlugin` reads a query parameter `header-value`, sets it as both a request header and a response header, and the test asserts that the injected CRLF sequence (`\r\nAnother: CRLF_Injection`) is accepted without validation. To reproduce, run the provided `simpleHeaderInjectionVulnerabilityPOC` test against a Styx instance built with the vulnerable code.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6v7p-v754-j89vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-6858ghsaADVISORY
- github.com/HotelsDotCom/styx/security/advisories/GHSA-6v7p-v754-j89vghsax_refsource_MISCWEB
- twitter.com/JLLeitschuhghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.