CVE-2020-5280

Name of the Vulnerable Software and Affected Versions http4s versions prior to 0.18.26 http4s versions prior to 0.20.20 http4s versions prior to 0.21.2

Description The issue applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService, and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly, allowing requests with path info containing ../ or // to expose resources outside of the configured location. This can lead to exposure of files on the local file system or resources on the class path. The vulnerability also involves prefix matching and URI decoding issues, which can cause incorrect exposure of resources.

Recommendations For versions prior to 0.18.26, upgrade to version 0.18.26 or later. For versions prior to 0.20.20, upgrade to version 0.20.20 or later. For versions prior to 0.21.2, upgrade to version 0.21.2 or later. As a temporary workaround, consider copying the patched FileService.scala, ResourceService.scala, and WebjarService.scala from the appropriate release series into your project and recompiling with that, changing the package name and reference in your application. Users of a servlet backend can use the servlet container's file serving capabilities as an alternative.