PT-2025-45887 · Julia · Http+1
Published
2025-10-08
·
Updated
2025-10-08
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Description
The URIs.jl and HTTP.jl packages allowed the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack.
With this simple Julia code, you can inject a custom header named
Foo with the value bar:julia
import HTTP
HTTP.get("http://localhost:1337/ HTTP/1.1r
Foo: barr
baz:")The server will receive the request like this:
➜ ncat -klp 1337
GET / HTTP/1.1
Foo: bar <-- injected header!
baz: HTTP/1.1
Host: locahost:1337
Accept: */*
User-Agent: HTTP.jl/1.11.5
Content-Length: 0
Accept-Encoding: gzipImpact
Inject headers or inject data to the request body and cause “HTTP response splitting”.
Patches
Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17. All prior versions are vulnerable.
Users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. All prior versions are vulnerable.
The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix.
Workarounds
Manually validate any URIs before passing them on to functions in this package.
References
Fixed by: https://github.com/JuliaWeb/URIs.jl/pull/66 (which is available in URIs.jl v1.6.0).
Credits
Thanks to splitline from the DEVCORE Research Team for reporting this issue.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Http
Uris