JLSEC-2025-1

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-1.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-1.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2025-1

Aliases

CVE-2025-52479
GHSA-4g68-4pxg-mw93

Published

2025-10-08T17:41:37.190Z

Modified

2025-11-06T22:57:35.093049Z

Summary

CR/LF injection in URIs.jl (also affects HTTP.jl)

Details

Description

The URIs.jl and HTTP.jl packages allowed the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack.

With this simple Julia code, you can inject a custom header named Foo with the value bar:

import HTTP

HTTP.get("http://localhost:1337/ HTTP/1.1\r\nFoo: bar\r\nbaz:")

The server will receive the request like this:

➜ ncat -klp 1337
GET / HTTP/1.1
Foo: bar <-- injected header!
baz: HTTP/1.1
Host: locahost:1337
Accept: */*
User-Agent: HTTP.jl/1.11.5
Content-Length: 0
Accept-Encoding: gzip

Impact

Inject headers or inject data to the request body and cause “HTTP response splitting”.

Patches

Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17. All prior versions are vulnerable.

Users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. All prior versions are vulnerable.

The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix.

Workarounds

Manually validate any URIs before passing them on to functions in this package.

References

Fixed by: https://github.com/JuliaWeb/URIs.jl/pull/66 (which is available in URIs.jl v1.6.0).

Credits

Thanks to splitline from the DEVCORE Research Team for reporting this issue.

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "published": "2025-06-24T23:01:25Z",
            "url": "https://api.github.com/repos/JuliaWeb/HTTP.jl/security-advisories/GHSA-4g68-4pxg-mw93",
            "modified": "2025-06-24T23:01:25Z",
            "html_url": "https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-4g68-4pxg-mw93",
            "id": "GHSA-4g68-4pxg-mw93",
            "imported": "2025-10-07T01:14:17.940Z"
        }
    ]
}

References

Affected packages

Julia / HTTP

Package

Name: HTTP
Purl: pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.17

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-1.json"

Julia / URIs

Package

Name: URIs
Purl: pkg:julia/URIs?uuid=5c2747f8-b7ea-4ff2-ba2e-563bfd36b1d4

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-1.json"