CVE-2025-59822

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-59822

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59822.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-59822

Aliases

GHSA-wcwh-7gfw-5wrr

Published

2025-09-23T18:54:42.867Z

Modified

2026-04-10T05:33:30.715036Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section

Details

Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-444"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59822.json"
}

References

Affected packages

Git / github.com/http4s/http4s

Affected ranges

Type

GIT

Repo

https://github.com/http4s/http4s

Events

Introduced

Fixed

36b243fc49ea692e4bf26241c75db53ff7d82261

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.23.31"
        }
    ]
}

Type

GIT

Repo

https://github.com/http4s/http4s

Events

Introduced

756ce63aee681c5b632bbeafe0b8fde2f3d237f4

Fixed

3ee1907aa54ce1928a913049cf7e22ca5fbf8cca

Database specific

{
    "versions": [
        {
            "introduced": "1.0.0-M1"
        },
        {
            "fixed": "1.0.0-M45"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.14.1

v0.17.0-M1

v0.18.0

v0.18.0-M1

v0.18.0-M2

v0.18.0-M3

v0.18.0-M4

v0.18.0-M5

v0.18.0-M6

v0.18.0-M7

v0.18.0-M8

v0.18.0-M9

v0.19.0

v0.19.0-M1

v0.19.0-M2

v0.19.0-M3

v0.2.0

v0.20.0

v0.20.0-M1

v0.20.0-M2

v0.20.0-M3

v0.20.0-M4

v0.20.0-M5

v0.20.0-M6

v0.20.0-M7

v0.20.0-RC1

v0.21.0

v0.21.0-M1

v0.21.0-M3

v0.21.0-M4

v0.21.0-M5

v0.21.0-M6

v0.21.0-RC1

v0.21.0-RC2

v0.21.0-RC3

v0.21.0-RC4

v0.21.0-RC5

v0.23.0

v0.23.0-M1

v0.23.1

v0.23.10

v0.23.11

v0.23.12

v0.23.13

v0.23.14

v0.23.15

v0.23.16

v0.23.18

v0.23.19

v0.23.19-RC1

v0.23.19-RC2

v0.23.2

v0.23.20

v0.23.22

v0.23.23

v0.23.24

v0.23.25

v0.23.26

v0.23.27

v0.23.28

v0.23.29

v0.23.3

v0.23.30

v0.23.5

v0.23.6

v0.23.7

v0.23.8

v0.23.9

v0.3.0

v0.5.0

v0.6.0

v0.7.0

v0.8.1

v0.9.0

v1.*

v1.0.0-M1

v1.0.0-M10

v1.0.0-M11

v1.0.0-M12

v1.0.0-M13

v1.0.0-M15

v1.0.0-M16

v1.0.0-M17

v1.0.0-M19

v1.0.0-M2

v1.0.0-M20

v1.0.0-M21

v1.0.0-M22

v1.0.0-M24

v1.0.0-M26

v1.0.0-M28

v1.0.0-M29

v1.0.0-M3

v1.0.0-M30

v1.0.0-M31

v1.0.0-M32

v1.0.0-M33

v1.0.0-M34

v1.0.0-M35

v1.0.0-M36

v1.0.0-M37

v1.0.0-M39

v1.0.0-M4

v1.0.0-M40

v1.0.0-M41

v1.0.0-M42

v1.0.0-M43

v1.0.0-M44

v1.0.0-M5

v1.0.0-M6

v1.0.0-M7

v1.0.0-M8

v1.0.0-M9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59822.json"