CVE-2020-6858

CVE-2020-6858 is a medium-severity security vulnerability in com.hotels.styx:styx-api (maven), affecting versions <= 1.0.0.beta8. It is fixed in 1.0.0-rc1.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

HTTP Response Splitting in Styx

Vulnerability

Styx is vulnerable to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting').

Vulnerable Component

The vulnerable component is the com.hotels.styx.api.HttpHeaders.Builder due to disabling the HTTP Header validation built into Netty in these locations:

https://github.com/HotelsDotCom/styx/blob/e1d578e9b9c38df9cd19c21dc2eb9b949d85b558/components/api/src/main/java/com/hotels/styx/api/HttpHeaders.java#L145

https://github.com/HotelsDotCom/styx/blob/e1d578e9b9c38df9cd19c21dc2eb9b949d85b558/components/api/src/main/java/com/hotels/styx/api/HttpHeaders.java#L145

new DefaultHttpHeaders(false) disables the built-in validation in Netty. Either use the default constructor or new DefaultHttpHeaders(true instead.

Additionally, another vulnerable component is the StyxToNettyResponseTranslator due to also disabling the HTTP Header validation built into netty in this location.

https://github.com/HotelsDotCom/styx/blob/8d60e5493e65d0d536afc0b350dcb02d24e0f7a7/components/server/src/main/java/com/hotels/styx/server/netty/connectors/StyxToNettyResponseTranslator.java#L30

DefaultHttpResponse nettyResponse = new DefaultHttpResponse(version, httpResponseStatus, false);
new DefaultHttpResponse(version, httpResponseStatus, false); disables the built-in validation in Netty. Please use the constructor new DefaultHttpResponse(version, httpResponseStatus, true);

Proof of Concept

The following test plugin proves that there is no header validation occurring.

    static class VulnerablePlugin implements Plugin {

        @Override
        public Eventual&lt;LiveHttpResponse&gt; intercept(LiveHttpRequest request, Chain chain) {
            String header = request.queryParam(&quot;header-value&quot;).get();
            LiveHttpRequest newRequest = request.newBuilder()
                .header(&quot;myRequestHeader&quot;, header)
                .build();
            return chain.proceed(newRequest).map(response -&gt;
                response.newBuilder().header(&quot;myResponseHeader&quot;, header).build()
            ) ;
        }

    }

    @Test
    public void simpleHeaderInjectionVulnerabilityPOC() {
        Plugin vulnerablePlugin = new VulnerablePlugin();
        // a simple way to mock the downstream system
        HttpInterceptor.Chain chain = request -&gt; {
            assertThat(request.header(&quot;myRequestHeader&quot;).orElse(null), is(&quot;test\r\nAnother: CRLF_Injection&quot;));
            return Eventual.of(response(OK).build());
        };

        // an example request you expect your plugin to receive
        String encodedGet = URLEncoder.encode(&quot;test\r\nAnother: CRLF_Injection&quot;);
        LiveHttpRequest request = get(&quot;/foo?header-value=&quot; + encodedGet)
            .build();

        // since this is a test, we want to wait for the response
        LiveHttpResponse response = Mono.from(vulnerablePlugin.intercept(request, chain)).block();

        assertThat(response.header(&quot;myResponseHeader&quot;).orElse(null), is(&quot;test\r\nAnother: CRLF_Injection&quot;));
    }

Additionally, if you run this LiveHttpResponse from this test through the StyxToNettyResponseTranslator::toNettyResponse, ideally, it would have caused an exception to be thrown. In its current state, it does not.

Similar Vulnerabilities

There have been reports of similar vulnerabilities in other popular libraries.

GHSA-35fr-h7jr-hh86 -> CVE-2019-16771
GHSA-mvqp-q37c-wf9j -> CVE-2019-17513

Finding

This vulnerability was found due to this query that Jonathan Leitschuh contributed to the Semmle QL project.
https://lgtm.com/rules/1510696449842/alerts/

Impact

CVE-2020-6858 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.0-rc1); upgrading removes the vulnerable code path.

Affected versions

com.hotels.styx:styx-api (<= 1.0.0.beta8)

Security releases

com.hotels.styx:styx-api → 1.0.0-rc1 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade com.hotels.styx:styx-api to 1.0.0-rc1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2020-6858? CVE-2020-6858 is a medium-severity security vulnerability in com.hotels.styx:styx-api (maven), affecting versions <= 1.0.0.beta8. It is fixed in 1.0.0-rc1.
  2. How severe is CVE-2020-6858? CVE-2020-6858 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of com.hotels.styx:styx-api are affected by CVE-2020-6858? com.hotels.styx:styx-api (maven) versions <= 1.0.0.beta8 is affected.
  4. Is there a fix for CVE-2020-6858? Yes. CVE-2020-6858 is fixed in 1.0.0-rc1. Upgrade to this version or later.
  5. Is CVE-2020-6858 exploitable, and should I be worried? Whether CVE-2020-6858 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2020-6858 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2020-6858? Upgrade com.hotels.styx:styx-api to 1.0.0-rc1 or later.

Stop the waste.
Protect your environment with Kodem.