diff --git a/Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift b/Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift
index fae1e612d4..d31b7a4951 100644
--- a/Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift
+++ b/Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift
@@ -433,7 +433,7 @@ private extension String.UnicodeScalarView.SubSequence {
     var rangeOfTokenPrefix: Range<Index>? {
         guard !isEmpty else { return nil }
         var end = startIndex
-        while self[end].isValidMessageToken {
+        while end != self.endIndex && self[end].isValidMessageToken {
             end = self.index(after: end)
         }
         guard end != startIndex else { return nil }
diff --git a/Tests/Foundation/TestURLProtectionSpace.swift b/Tests/Foundation/TestURLProtectionSpace.swift
index 9ffbe11fae..83c5f22afa 100644
--- a/Tests/Foundation/TestURLProtectionSpace.swift
+++ b/Tests/Foundation/TestURLProtectionSpace.swift
@@ -203,5 +203,22 @@ class TestURLProtectionSpace : XCTestCase {
         XCTAssertEqual(param8_2_2.name, "param")
         XCTAssertEqual(param8_2_2.value, "")
     }
+
+    func test_createWithInvalidAuth() throws {
+        let headerFields1 = [
+            "Server": "Microsoft-IIS/10.0",
+            "request-id": "c71c2202-4013-4d64-9319-d40aba6bbe5c",
+            "WWW-Authenticate": "fdsfds",
+            "X-Powered-By": "ASP.NET",
+            "X-FEServer": "AM6PR0502CA0062",
+            "Date": "Sat, 04 Apr 2020 16:19:39 GMT",
+            "Content-Length": "0",
+        ]
+        let response1 = try XCTUnwrap(HTTPURLResponse(url: URL(string: "https://outlook.office365.com/Microsoft-Server-ActiveSync")!,
+                                                      statusCode: 401,
+                                                      httpVersion: "HTTP/1.1",
+                                                      headerFields: headerFields1))
+        XCTAssertNil(URLProtectionSpace.create(with: response1))
+    }
     #endif
 }