CVE-2025-59822

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-59822

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59822.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-59822

Aliases

GHSA-wcwh-7gfw-5wrr

Published

2025-09-23T18:54:42.867Z

Modified

2025-12-05T10:21:03.243211Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section

Details

Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.

Database specific

{
    "cwe_ids": [
        "CWE-444"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59822.json"
}

References

Affected packages

Git / github.com/http4s/http4s

Affected ranges

Type

GIT

Repo

https://github.com/http4s/http4s

Events

Introduced

Fixed

36b243fc49ea692e4bf26241c75db53ff7d82261

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.23.31"
        }
    ]
}

Type

GIT

Repo

https://github.com/http4s/http4s

Events

Introduced

756ce63aee681c5b632bbeafe0b8fde2f3d237f4

Fixed

3ee1907aa54ce1928a913049cf7e22ca5fbf8cca

Database specific

{
    "versions": [
        {
            "introduced": "1.0.0-M1"
        },
        {
            "fixed": "1.0.0-M45"
        }
    ]
}

Affected versions

scalafix-v0.*

scalafix-v0.20.0

v0.*

v0.1.0

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.11.2

v0.11.3

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.12.4

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.1

v0.14.10

v0.14.11

v0.14.2

v0.14.3

v0.14.4

v0.14.5

v0.14.6

v0.14.7

v0.14.8

v0.14.9

v0.15.0

v0.15.10

v0.15.11

v0.15.12

v0.15.13

v0.15.14

v0.15.15

v0.15.16

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.15.6

v0.15.7

v0.15.8

v0.15.9

v0.16.0

v0.16.0-M1

v0.16.0-M2

v0.16.0-M3

v0.16.0-RC1

v0.16.0-RC2

v0.16.0-RC3

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.16.5

v0.16.6

v0.17.0

v0.17.0-M1

v0.17.0-M2

v0.17.0-M3

v0.17.0-RC1

v0.17.0-RC2

v0.17.0-RC3

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.17.5

v0.17.6

v0.18.0

v0.18.0-M1

v0.18.0-M2

v0.18.0-M3

v0.18.0-M4

v0.18.0-M5

v0.18.0-M6

v0.18.0-M7

v0.18.0-M8

v0.18.0-M9

v0.18.1

v0.18.10

v0.18.11

v0.18.12

v0.18.13

v0.18.14

v0.18.15

v0.18.16

v0.18.17

v0.18.18

v0.18.19

v0.18.2

v0.18.20

v0.18.21

v0.18.22

v0.18.23

v0.18.24

v0.18.25

v0.18.26

v0.18.3

v0.18.4

v0.18.5

v0.18.6

v0.18.7

v0.18.8

v0.18.9

v0.19.0

v0.19.0-M1

v0.19.0-M2

v0.19.0-M3

v0.19.0-M4

v0.2.0

v0.20.0

v0.20.0-M1

v0.20.0-M2

v0.20.0-M3

v0.20.0-M4

v0.20.0-M5

v0.20.0-M6

v0.20.0-M7

v0.20.0-RC1

v0.20.1

v0.20.10

v0.20.11

v0.20.12

v0.20.13

v0.20.14

v0.20.15

v0.20.16

v0.20.17

v0.20.18

v0.20.19

v0.20.2

v0.20.20

v0.20.21

v0.20.22

v0.20.23

v0.20.3

v0.20.4

v0.20.6

v0.20.7

v0.20.8

v0.20.9

v0.21.0

v0.21.0-M1

v0.21.0-M2

v0.21.0-M3

v0.21.0-M4

v0.21.0-M5

v0.21.0-M6

v0.21.0-RC1

v0.21.0-RC2

v0.21.0-RC3

v0.21.0-RC4

v0.21.0-RC5

v0.21.1

v0.21.11

v0.21.12

v0.21.13

v0.21.14

v0.21.15

v0.21.16

v0.21.18

v0.21.19

v0.21.2

v0.21.20

v0.21.21

v0.21.22

v0.21.23

v0.21.24

v0.21.25

v0.21.26

v0.21.27

v0.21.28

v0.21.29

v0.21.3

v0.21.30

v0.21.31

v0.21.32

v0.21.33

v0.21.34

v0.21.4

v0.21.5

v0.21.6

v0.21.7

v0.21.8

v0.21.9

v0.22.0

v0.22.0-M1

v0.22.0-M2

v0.22.0-M3

v0.22.0-M4

v0.22.0-M5

v0.22.0-M6

v0.22.0-M7

v0.22.0-M8

v0.22.0-RC1

v0.22.1

v0.22.10

v0.22.11

v0.22.12

v0.22.13

v0.22.14

v0.22.15

v0.22.2

v0.22.3

v0.22.4

v0.22.5

v0.22.6

v0.22.7

v0.22.8

v0.22.9

v0.23.0

v0.23.0-M1

v0.23.0-RC1

v0.23.1

v0.23.10

v0.23.11

v0.23.12

v0.23.13

v0.23.14

v0.23.15

v0.23.16

v0.23.17

v0.23.18

v0.23.19

v0.23.19-RC1

v0.23.19-RC2

v0.23.19-RC3

v0.23.2

v0.23.20

v0.23.21

v0.23.22

v0.23.23

v0.23.24

v0.23.25

v0.23.26

v0.23.27

v0.23.28

v0.23.29

v0.23.3

v0.23.30

v0.23.31

v0.23.4

v0.23.5

v0.23.6

v0.23.7

v0.23.8

v0.23.9

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.6.0

v0.6.1

v0.6.2

v0.6.4

v0.6.5

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v1.*

v1.0.0-M1

v1.0.0-M10

v1.0.0-M11

v1.0.0-M12

v1.0.0-M13

v1.0.0-M14

v1.0.0-M15

v1.0.0-M16

v1.0.0-M17

v1.0.0-M18

v1.0.0-M19

v1.0.0-M2

v1.0.0-M20

v1.0.0-M21

v1.0.0-M22

v1.0.0-M23

v1.0.0-M24

v1.0.0-M25

v1.0.0-M26

v1.0.0-M27

v1.0.0-M28

v1.0.0-M29

v1.0.0-M3

v1.0.0-M30

v1.0.0-M31

v1.0.0-M32

v1.0.0-M33

v1.0.0-M34

v1.0.0-M35

v1.0.0-M36

v1.0.0-M37

v1.0.0-M39

v1.0.0-M4

v1.0.0-M40

v1.0.0-M41

v1.0.0-M42

v1.0.0-M43

v1.0.0-M44

v1.0.0-M5

v1.0.0-M6

v1.0.0-M7

v1.0.0-M8

v1.0.0-M9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59822.json"