JLSEC-2026-623

Description

The HTTP/2 server's request validator passed only :method, :path, and :authority through a normalizer that rejects CR/LF/CTL but permits SP/HTAB and applies no host or token grammar. As a result a :method such as "GET /admin?x=" was accepted, :path could carry interior whitespace, and :authority was never host-validated; on HTTP/1 downgrade these were written verbatim into the request line, enabling request smuggling past path-based ACLs. Separately, a request could carry both a benign :authority and a mismatched Host header, which the HTTP/1 serializer forwarded verbatim, so a proxy could authorize on :authority while forwarding a hostile Host to an origin.

Impact

These gaps enabled request smuggling past path-based access controls and authority/Host confusion when HTTP/2 requests were downgraded or forwarded.

Patches

Fixed in HTTP.jl v2.4.0. :method must match the RFC 9110 token charset, :path must not contain interior SP/HTAB, :authority must pass the host validator, and — per RFC 9113 §8.3.1 — when :authority is present every Host header value (checking all entries, not just the first) must equal it, otherwise the request is rejected as malformed.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.