H2O · H2O · CVE-2016-1133
**Name of the Vulnerable Software and Affected Versions**
H2O versions prior to 1.6.2
H2O versions 1.7.x prior to 1.7.0-beta3
**Description**
A CRLF injection issue exists in the on req function in lib/handler/redirect.c, allowing remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URI.
**Recommendations**
For H2O versions prior to 1.6.2, update to version 1.6.2 or later.
For H2O versions 1.7.x prior to 1.7.0-beta3, update to version 1.7.0-beta3 or later.