CVE-2023-22465

Name of the Vulnerable Software and Affected Versions Http4s versions 0.1.0 through 0.21.33 Http4s versions 0.22.0 through 0.22.14 Http4s versions 0.23.0 through 0.23.16 Http4s versions 1.0.0-M0 through 1.0.0-M37

Description The User-Agent and Server header parsers in Http4s are susceptible to a fatal error on certain inputs. This issue applies to services that explicitly request these typed headers, as modeled headers are lazily parsed in Http4s.

Recommendations For Http4s versions 0.1.0 through 0.21.33, update to version 0.21.34 or later. For Http4s versions 0.22.0 through 0.22.14, update to version 0.22.15 or later. For Http4s versions 0.23.0 through 0.23.16, update to version 0.23.17 or later. For Http4s versions 1.0.0-M0 through 1.0.0-M37, update to version 1.0.0-M38 or later. As a temporary workaround for all affected versions, consider using the weakly typed header interface to minimize the risk of exploitation.