GHSA-jrpc-7vxp-69p6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jrpc-7vxp-69p6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jrpc-7vxp-69p6/GHSA-jrpc-7vxp-69p6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jrpc-7vxp-69p6
- Published
- 2026-06-19T21:15:59Z
- Modified
- 2026-06-19T21:30:08.829088701Z
- Severity
-
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact`
- Details
-
Impact
reverseProxy()andreverseProxyRouting()matched configured vhosts by substring on theHostheader (Containsmatcher) by default. The intended use of these functions in http4k is outbound dispatch (e.g. matching AWS service subdomains, per theContainsdocstring) and test-time composition of fake backend networks. In either of those contexts the matchedHostis set by the calling application, not by an external attacker, so the loose match has no exploit surface.If, however,
reverseProxy()was deployed as a public-facing inbound HTTP handler — which the function technically supports but is not the documented intent — an external attacker could sendHost: admin.evil.comand reach a vhost configured asadmin, bypassing routing-based authorization.The
Containsmatcher's docstring explicitly documented this loose behaviour, but becauseContainswas the default, callers who never read the matcher docs would still get the loose behaviour.Who is affected: only deployments using
reverseProxy()/reverseProxyRouting()as a public-facing inbound HTTP handler with two or more configured virtual hosts. The intended outbound / test-time usage is unaffected. If you did deployreverseProxy()inbound and rely on multi-vhost routing for authorization, treat upgrade as urgent.Patches
| Line | Fixed in | Edition | |------|----------|---------| | v6.x (Community) | 6.49.0.0 | Community | | v5.x (LTS) | 5.42.0.0 | Enterprise — contact enterprise@http4k.org (if
reverseProxy()is present in your v5.x line) | | v4.x (LTS) | 4.51.0.0 | Enterprise — contact enterprise@http4k.org (ifreverseProxy()is present in your v4.x line) |The fix changes the default matcher to
Exact. Existing callers that genuinely need substring matching (e.g. AWS subdomain dispatch) must explicitly passmatcher = Contains.Workarounds
For deployments that cannot upgrade immediately: wrap your
reverseProxy()with a host-allow-list filter that requires an exact match against expected vhost names before delegating. - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2026-06-19T21:15:59Z", "severity": "MODERATE" }- References
Affected packages
Maven / org.http4k:http4k-core
Package
- Name
- org.http4k:http4k-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.http4k/http4k-core
Affected versions
6.*
6.0.0.0
6.0.1.0
6.1.0.0
6.1.0.1
6.2.0.0
6.4.0.0
6.4.1.0
6.5.0.0
6.5.1.0
6.5.2.0
6.5.3.0
6.5.4.0
6.5.5.0
6.5.5.1
6.5.6.0
6.5.6.1
6.6.0.0
6.6.0.1
6.6.1.0
6.7.0.0
6.8.0.0
6.8.1.0
6.9.0.0
6.9.1.0
6.9.2.0
6.10.0.0
6.10.1.0
6.10.2.0
6.11.0.0
6.11.1.0
6.12.0.0
6.13.0.0
6.14.0.0
6.15.0.0
6.15.0.1
6.15.1.0
6.16.0.0
6.17.0.0
6.18.0.1
6.18.1.0
6.19.0.0
6.20.0.0
6.20.0.1
6.20.0.2
6.20.0.3
6.20.1.0
6.20.2.0
6.20.2.1
6.21.0.0
6.21.1.0
6.22.0.0
6.23.0.0
6.23.1.0
6.24.0.0
6.24.1.0
6.25.0.0
6.25.1.0
6.26.0.0
6.26.1.0
6.27.0.0
6.28.0.0
6.28.1.0
6.29.0.0
6.30.0.0
6.30.1.0
6.31.0.0
6.31.1.0
6.32.0.0
6.33.0.0
6.34.0.0
6.35.0.0
6.36.0.0
6.37.0.0
6.38.0.0
6.39.0.0
6.39.1.0
6.40.0.0
6.40.1.0
6.41.0.0
6.42.0.0
6.43.0.0
6.44.0.0
6.45.0.0
6.45.1.0
6.46.0.0
6.46.1.0
6.47.0.0
6.47.1.0
6.47.2.0
6.48.0.0
Maven / org.http4k:http4k-core
Package
- Name
- org.http4k:http4k-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.http4k/http4k-core
Affected versions
5.*
5.0.0.0
5.1.0.0
5.1.1.0
5.1.1.1
5.1.2.0
5.1.2.1
5.2.0.0
5.2.1.0
5.3.0.0
5.4.0.0
5.4.1.0
5.5.0.0
5.6.0.0
5.6.1.0
5.6.2.0
5.6.2.1
5.6.3.0
5.6.4.0
5.6.5.0
5.7.1.0
5.7.2.0
5.7.3.0
5.7.4.0
5.7.5.0
5.8.0.0
5.8.1.0
5.8.2.0
5.8.3.0
5.8.4.0
5.8.5.0
5.8.5.1
5.8.6.0
5.9.0.0
5.10.0.0
5.10.1.0
5.10.2.0
5.10.3.0
5.10.4.0
5.10.5.0
5.10.6.0
5.10.7.0
5.11.0.0
5.11.1.0
5.12.0.0
5.12.1.0
5.12.2.0
5.12.2.1
5.13.0.0
5.13.0.1
5.13.1.0
5.13.2.0
5.13.4.0
5.13.4.1
5.13.5.0
5.13.6.0
5.13.6.1
5.13.7.0
5.13.8.0
5.13.9.0
5.14.0.0
5.14.1.0
5.14.2.0
5.14.4.0
5.14.5.0
5.15.0.0
5.16.0.0
5.16.1.0
5.16.2.0
5.17.0.0
5.18.1.0
5.18.2.0
5.19.0.0
5.20.0.0
5.21.0.0
5.21.1.0
5.21.2.0
5.22.0.0
5.23.0.0
5.24.0.0
5.24.1.0
5.25.0.0
5.26.0.0
5.26.1.0
5.27.0.0
5.28.0.0
5.28.1.0
5.29.0.0
5.30.0.0
5.30.1.0
5.31.0.0
5.31.1.0
5.32.0.0
5.32.1.0
5.32.2.0
5.32.3.0
5.32.4.0
5.33.0.0
5.33.0.1
5.33.1.0
5.34.0.0
5.34.1.0
5.35.0.0
5.35.1.0
5.35.2.0
5.35.3.0
5.35.4.0
5.35.5.0
5.36.0.0
5.37.0.0
5.37.1.0
5.37.1.1
5.38.0.0
5.39.0.0
5.40.0.0
5.41.0.0
Maven / org.http4k:http4k-core
Package
- Name
- org.http4k:http4k-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.http4k/http4k-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.51.0.0
Affected versions
v6.*
v6.3.0.0
v6.4.1.0
0.*
0.21.0
0.22.0
1.*
1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.9.0
1.10.0
1.11.0
1.13.0
1.14.0
1.15.0
1.16.0
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.21.1
1.22.0
1.22.2
1.23.0
1.24.0
1.25.0
1.25.1
1.26.0
1.26.1
1.26.2
1.27.0
1.28.0
1.30.0
1.31.0
1.32.0
1.32.1
1.32.2
1.33.0
1.33.1
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.5.1
2.6.0
2.7.1
2.8.0
2.8.1
2.9.0
2.10.0
2.10.1
2.11.0
2.11.1
2.11.2
2.11.3
2.12.0
2.13.0
2.14.0
2.15.0
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.18.2
2.18.3
2.18.5
2.19.0
2.20.0
2.21.0
2.21.1
2.21.2
2.22.0
2.23.0
2.23.2
2.23.3
2.23.4
2.24.0
2.25.0
2.25.1
2.25.2
2.25.3
2.25.4
2.26.0
2.26.1
2.26.2
2.26.3
2.27.0
2.27.1
2.27.2
2.28.0
2.29.0
2.29.1
2.29.2
2.29.3
2.29.4
2.30.0
2.31.0
2.31.1
2.31.2
2.31.3
2.31.4
2.32.0
2.33.0
2.33.1
2.34.0
2.35.0
2.35.1
2.36.0
2.37.0
2.38.0
2.38.1
3.*
3.0.0
3.0.1
3.1.0
3.1.1
3.1.2
3.1.3
3.2.1
3.2.2
3.2.3
3.3.0
3.3.1
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.7.0
3.8.0
3.9.0
3.10.0
3.11.0
3.11.1
3.12.0
3.13.2
3.13.3
3.13.4
3.14.0
3.14.1
3.15.0
3.16.0
3.17.0
3.17.1
3.18.0
3.18.1
3.19.0
3.20.0
3.21.1
3.21.2
3.22.2
3.22.3
3.22.4
3.23.0
3.23.1
3.24.0
3.25.0
3.26.0
3.26.1
3.26.2
3.26.3
3.26.4
3.26.5
3.26.6
3.27.0
3.28.0
3.29.0
3.30.0
3.31.0
3.32.0
3.32.1
3.33.0
3.33.1
3.33.2
3.34.0
3.34.1
3.34.2
3.34.3
3.35.0
3.35.1
3.35.2
3.36.0
3.36.1
3.37.0
3.37.1
3.38.0
3.38.1
3.39.1
3.39.2
3.39.3
3.39.4
3.93.4
3.94.0
3.94.1
3.95.0
3.95.1
3.96.0
3.98.0
3.99.0
3.100.0
3.102.0
3.102.1
3.103.0
3.103.1
3.103.2
3.104.0
3.105.0
3.106.0
3.107.0
3.108.0
3.109.0
3.110.0
3.111.0
3.112.0
3.112.1
3.112.2
3.113.0
3.114.0
3.115.0
3.115.1
3.116.0
3.117.0
3.118.0
3.119.0
3.120.0
3.121.0
3.122.0
3.123.0
3.124.0
3.125.0
3.126.0
3.127.0
3.128.0
3.129.0
3.130.0
3.131.0
3.132.0
3.133.0
3.134.0
3.135.0
3.136.0
3.137.0
3.137.1
3.138.0
3.138.1
3.139.0
3.140.0
3.141.0
3.142.0
3.143.0
3.143.1
3.144.0
3.145.0
3.146.0
3.147.0
3.148.0
3.149.0
3.150.0
3.151.0
3.152.0
3.153.0
3.154.0
3.154.1
3.155.0
3.156.0
3.157.0
3.157.1
3.158.0
3.158.1
3.159.0
3.160.0
3.160.1
3.161.0
3.162.0
3.164.0
3.165.0
3.166.0
3.166.1
3.167.0
3.169.0
3.171.0
3.172.0
3.173.0
3.175.0
3.177.0
3.178.0
3.179.0
3.179.1
3.180.0
3.182.0
3.183.0
3.185.0
3.186.0
3.187.0
3.188.0
3.189.0
3.190.0
3.191.0
3.192.0
3.193.0
3.193.1
3.194.0
3.195.0
3.195.1
3.196.0
3.197.0
3.198.0
3.199.0
3.199.1
3.200.0
3.201.0
3.202.0
3.203.0
3.204.0
3.205.0
3.206.0
3.207.0
3.209.0
3.210.0
3.211.0
3.212.0
3.213.0
3.214.0
3.215.0
3.216.0
3.218.0
3.219.0
3.220.0
3.221.0
3.222.0
3.223.0
3.224.0
3.225.0
3.226.0
3.227.0
3.229.0
3.230.0
3.231.0
3.232.0
3.233.0
3.234.0
3.235.0
3.237.0
3.238.0
3.239.0
3.240.0
3.241.0
3.242.0
3.243.0
3.244.0
3.245.0
3.245.1
3.246.0
3.247.0
3.248.0
3.250.0
3.251.0
3.252.0
3.253.0
3.254.0
3.255.0
3.256.0
3.256.1
3.257.0
3.258.0
3.259.0
3.260.0
3.261.0
3.262.0
3.263.0
3.264.0
3.265.0
3.266.0
3.268.0
3.269.0
3.270.0
3.271.0
3.272.0
3.273.0
3.274.0
3.275.0
3.276.0
3.277.0
3.278.0
3.279.0
3.281.0
3.283.0
3.283.1
3.284.0
3.285.0
3.285.1
3.285.2
4.*
4.0.0.0
4.1.0.0
4.1.1.0
4.1.1.1
4.1.1.2
4.1.2.0
4.1.2.1
4.2.0.0
4.3.0.0
4.3.2.0
4.3.2.1
4.3.2.2
4.3.3.0
4.3.4.0
4.3.4.1
4.3.5.1
4.3.5.2
4.3.5.3
4.3.5.4
4.4.0.0
4.4.0.1
4.4.1.0
4.4.2.0
4.5.0.0
4.5.0.1
4.6.0.0
4.7.0.0
4.7.0.1
4.7.0.2
4.7.1.0
4.8.0.0
4.8.1.0
4.8.2.0
4.9.0.0
4.9.0.1
4.9.0.2
4.9.1.0
4.9.2.0
4.9.3.0
4.9.3.1
4.9.4.0
4.9.5.0
4.9.6.0
4.9.7.0
4.9.8.0
4.9.9.0
4.9.10.0
4.10.0.0.0
4.10.0.1
4.10.1.0
4.11.0.0
4.11.0.1
4.12.0.0
4.12.0.1
4.12.1.0
4.12.2.0
4.12.3.0
4.12.3.1
4.13.0.0
4.13.1.0
4.13.3.0
4.13.4.0
4.14.0.0
4.14.1.0
4.14.1.1
4.14.1.2
4.14.1.3
4.14.1.4
4.15.0.0
4.16.0.0
4.16.1.0
4.16.2.0
4.16.3.0
4.17.0.0
4.17.1.0
4.17.2.0
4.17.3.0
4.17.4.0
4.17.5.0
4.17.6.0
4.17.7.0
4.17.8.0
4.17.9.0
4.18.0.0
4.19.0.0
4.19.1.0
4.19.2.0
4.19.3.0
4.19.4.0
4.19.5.0
4.20.0.0
4.20.1.0
4.20.2.0
4.21.0.0
4.21.1.0
4.21.1.1
4.22.0.0
4.22.0.1
4.23.0.0
4.24.0.0
4.25.0.0
4.25.1.0
4.25.2.0
4.25.3.0
4.25.4.0
4.25.4.1
4.25.5.0
4.25.5.1
4.25.5.2
4.25.6.0
4.25.7.0
4.25.8.0
4.25.9.0
4.25.10.0
4.25.10.1
4.25.11.0
4.25.12.0
4.25.13.0
4.25.14.0
4.25.15.0
4.25.16.0
4.25.16.1
4.25.16.2
4.26.0.0
4.27.0.0
4.27.1.0
4.27.2.0
4.27.3.0
4.27.4.0
4.28.0.0
4.28.1.0
4.28.2.0
4.29.0.0
4.29.1.0
4.30.0.0
4.30.2.0
4.30.2.1
4.30.3.0
4.30.4.0
4.30.5.0
4.30.6.0
4.30.7.0
4.30.8.0
4.30.9.0
4.30.10.0
4.31.0.0
4.32.0.0
4.32.1.0
4.32.2.0
4.32.3.0
4.32.4.0
4.33.0.0
4.33.1.0
4.33.2.0
4.33.2.1
4.33.3.0
4.34.0.0
4.34.0.1
4.34.0.2
4.34.0.3
4.34.0.4
4.34.1.0
4.34.2.0
4.34.3.0
4.34.3.1
4.34.4.0
4.35.0.0
4.35.1.0
4.35.2.0
4.35.3.0
4.35.4.0
4.36.0.0
4.37.0.0
4.38.0.0
4.38.0.1
4.39.0.0
4.40.0.0
4.40.1.0
4.40.2.0
4.41.0.0
4.41.1.0
4.41.1.1
4.41.2.0
4.41.3.0
4.41.4.0
4.42.0.0
4.42.1.0
4.43.0.0
4.43.1.0
4.44.0.0
4.44.1.0
4.45.0.0
4.46.0.0
4.47.1.0
4.47.2.0
4.48.0.0
4.48.2.0