JLSEC-2026-614

Description

The default WebSocket Origin validator (_origin_allowed_default) only enforced the host component of the same-origin tuple. It never checked the Origin's scheme, and when the request Host header carried no explicit port (the norm for default-port 80/443 servers, where browsers omit the port) it fell through to a hostname-only comparison that discarded the Origin's port. As a result a wss://example.com server accepted cross-scheme/cross-port origins such as http://example.com or http://example.com:8080.

Impact

An attacker controlling another scheme or port on the same hostname could open an authenticated WebSocket from a victim's browser using the victim's cookies (cross-site WebSocket hijacking).

Patches

Fixed in HTTP.jl v2.4.0. _origin_allowed_default now requires the Origin's scheme to match the server transport and compares effective ports, substituting the scheme default port (443 when secure, else 80) when the Host header omits one and handling bracketed IPv6 literals. The server_secure flag is plumbed through all upgrade call sites; the empty-Origin allowance, cross-host rejection, and malformed-Origin rejection are preserved.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.