JLSEC-2026-616
- Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-616.md
- Import Source
- https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-616.json
- JSON Data
- https://api.osv.dev/v1/vulns/JLSEC-2026-616
- Aliases
-
- ANT-2026-23PZ587V
- ANT-2026-5W0B63VQ
- ANT-2026-8WT2MXD5
- ANT-2026-P0SGS9PG
- Upstream
- Published
- 2026-06-23T12:59:32.708Z
- Modified
- 2026-06-23T17:30:14.366081505Z
- Summary
- HTTP/1 client request smuggling via CR/LF in method, target, or host in HTTP.jl
- Details
-
Description
The HTTP/1 client serialized
request.methodandrequest.target(and, in forward-proxy absolute-form, the host) verbatim onto the wire with no CR/LF/CTL filtering; the only target validator was wired solely into the server parse path. A caller passing an attacker-influenced URL or method to the client could embed\r\nin the method, path, or query to inject arbitrary request headers, or\r\n\r\nto smuggle a second pipelined request onto a pooled keep-alive (or proxy-forwarded) connection. The HTTP/2 client already rejected CR/LF in:path, so this was an HTTP/1-specific omission.Impact
CR/LF injection in client request start lines could lead to header injection and request smuggling on reused or proxied connections.
Patches
Fixed in HTTP.jl v2.4.0. A new
_validate_request_start_line!validates the method against the RFC 7230 token grammar, delegates target validation to the existing_validate_request_target!, and rejects control bytes in a supplied host. It is wired into all HTTP/1 wire start-line writers (origin-form, CONNECT authority-form, asterisk-form, websocket, and forward-proxy absolute-form) before any bytes are emitted, rejecting offending requests with aParseError.Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.
- Database specific
{ "license": "CC-BY-4.0" }- References