CVE-2021-39185

Name of the Vulnerable Software and Affected Versions http4s versions 0.21.26 and prior http4s versions 0.22.0 through 0.22.2 http4s versions 0.23.0 and 0.23.1 http4s versions 1.0.0-M1 through 1.0.0-M24

Description The default CORS configuration in http4s is vulnerable to an origin reflection attack and a Null Origin Attack. This allows a malicious script to exfiltrate sensitive information with the user's credentials. The issue is related to the anyOrigin flag in CORSConfig being true by default, which allows sharing resources regardless of the allowedOrigins setting. Additionally, the allowCredentials setting being true by default approves sharing responses that may have required credentials for sensitive information with any origin.

Recommendations For versions 0.21.26 and prior, update to version 0.21.27 or later. For versions 0.22.0 through 0.22.2, update to version 0.22.3 or later. For versions 0.23.0 and 0.23.1, update to version 0.23.2 or later. For versions 1.0.0-M1 through 1.0.0-M24, update to version 1.0.0-M25 or later. As a temporary workaround, consider setting anyOrigin to false and specifically including trusted origins in allowedOrigins, or disabling credentials by setting allowCredentials to false.