JLSEC-2026-615
- Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-615.md
- Import Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-615.json
- JSON Data
- https://api.osv.dev/v1/vulns/JLSEC-2026-615
- Aliases
-
- ANT-2026-9G63DER3
- ANT-2026-GY6HYQTG
- ANT-2026-ZK96ACV8
- Upstream
- Published
- 2026-06-23T12:59:32.708Z
- Modified
- 2026-06-23T17:30:14.334026678Z
- Summary
- Cookie jar accepts Secure/__Host-/__Secure- cookies from non-secure origins in HTTP.jl
- Details
-
Description
setcookies!stored every parsedSet-Cookieafter only checking that the response scheme was http or https, with no protection symmetric to the read path (shouldsend, which already withholdsSecurecookies from non-secure requests). A plaintext (http) origin could therefore plant aSecurecookie, plant a__Secure-/__Host--prefixed cookie, or overwrite/delete (viaMax-Age=-1) an existingSecurecookie set over https, enabling cookie fixation against hosts that mix http and https.Impact
A network attacker or malicious http origin could set, overwrite, or delete security-sensitive cookies in the client's cookie jar, enabling cookie fixation.
Patches
Fixed in HTTP.jl v2.4.0. Per RFC 6265bis,
setcookies!now drops anySecurecookie arriving over a non-secure scheme, enforces the__Secure-and__Host-name prefixes (evaluated ASCII case-insensitively on the raw attributes), and refuses to overwrite or delete an existingSecurecookie of the same domain;path;name identity from a non-secure origin. Behavior over https is unchanged.Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.
- Database specific
{ "license": "CC-BY-4.0" }- References