Armeria is vulnerable to HTTP response splitting. A remote attacker is able to inject arbitrary HTTP headers using CRLF characters sequence. This is due to using unsanitized data to populate the headers in an HTTP response. The vulnerability can potentially lead to successful cache poisoning and XSS attacks.