diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index cbdcaf15d7..b92cac9ea0 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -23,6 +23,7 @@ Yii Framework 2 Change Log
 - Bug #19735: Fix `yii\validators\NumberValidator` to use programmable message for the value validation (bizley)
 - Bug #19770: Fix `yii\mutex\MysqlMutex` `keyPrefix` expression param binding (kamarton)
 - Enh #19794: Add caching in `yii\web\Request` for `getUserIP()` and `getSecureForwardedHeaderTrustedParts()` (rhertogh)
+- Bug #19795: Fix `yii\web\Response::redirect()` to prevent setting headers with URL containing new line character (bizley)
 
 2.0.47 November 18, 2022
 ------------------------
diff --git a/framework/web/Response.php b/framework/web/Response.php
index bc06a4b04d..57349b599e 100644
--- a/framework/web/Response.php
+++ b/framework/web/Response.php
@@ -10,6 +10,7 @@ namespace yii\web;
 use Yii;
 use yii\base\InvalidArgumentException;
 use yii\base\InvalidConfigException;
+use yii\base\InvalidRouteException;
 use yii\helpers\FileHelper;
 use yii\helpers\Inflector;
 use yii\helpers\StringHelper;
@@ -886,12 +887,13 @@ class Response extends \yii\base\Response
         }
         $request = Yii::$app->getRequest();
         $normalizedUrl = Url::to($url);
-        if (
-            $normalizedUrl !== null
-            && strncmp($normalizedUrl, '/', 1) === 0
-            && strncmp($normalizedUrl, '//', 2) !== 0
-        ) {
-            $normalizedUrl = $request->getHostInfo() . $normalizedUrl;
+        if ($normalizedUrl !== null) {
+            if (preg_match('/\n/', $normalizedUrl)) {
+                throw new InvalidRouteException('Route with new line character detected "' . $normalizedUrl . '".');
+            }
+            if (strncmp($normalizedUrl, '/', 1) === 0 && strncmp($normalizedUrl, '//', 2) !== 0) {
+                $normalizedUrl = $request->getHostInfo() . $normalizedUrl;
+            }
         }
 
         if ($checkAjax && $request->getIsAjax()) {
diff --git a/tests/framework/web/ResponseTest.php b/tests/framework/web/ResponseTest.php
index 12ee7ef2d4..07e55b7dfa 100644
--- a/tests/framework/web/ResponseTest.php
+++ b/tests/framework/web/ResponseTest.php
@@ -171,6 +171,16 @@ class ResponseTest extends \yiiunit\TestCase
         );
     }
 
+    /**
+     * @see https://github.com/yiisoft/yii2/issues/19795
+     */
+    public function testRedirectNewLine()
+    {
+        $this->expectException('yii\base\InvalidRouteException');
+
+        $this->response->redirect(urldecode('http://test-domain.com/gql.json;%0aa.html'));
+    }
+
     /**
      * @dataProvider dataProviderAjaxRedirectInternetExplorer11
      */