RFC 9110 specifies that header field names must be nonempty:

field-name = token
token = 1*tchar

Libevent does not enforce this rule, and allows empty header names.

For example, Libevent accepts the following request:

GET / HTTP/1.1\r\n
Host: a\r\n
: no-name\r\n
\r\n
\r\n

In the past, empty header names have been used to execute request smuggling attacks, due to the fact that some gateways have historically treated \r\n:\r\n equivalently to \r\n\r\n.

Most HTTP servers (including AIOHTTP, Apache, Daphne, Deno, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, LiteSpeed, Passenger, Puma, Tomcat, Unicorn, Uvicorn, Waitress, and WEBrick) reject requests containing empty header names. Libevent should probably do the same.