CVE-2021-41084

Name of the Vulnerable Software and Affected Versions http4s versions prior to 0.21.30 http4s versions prior to 0.22.5 http4s versions prior to 0.23.4 http4s versions prior to 1.0.0-M27

Description http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create certain fields, including Header.name, Header.value, Status.reason, Uri.Path, and URI.RegName. This issue can be exploited by malicious users to hijack responses from the server and return different content. The carriage return, newline, and null characters are the most threatening. As a matter of practice, http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend.

Recommendations For versions prior to 0.21.30, update to version 0.21.30 or later. For versions prior to 0.22.5, update to version 0.22.5 or later. For versions prior to 0.23.4, update to version 0.23.4 or later. For versions prior to 1.0.0-M27, update to version 1.0.0-M27 or later. As a temporary workaround, consider sanitizing any user input in the aforementioned fields before returning a request or response to the backend, by replacing null, carriage return, and newline characters with space characters.