HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...

com.47deg:energy-monitor-persistence-app_3 (=0.2.0), com.avast:sst-bundle-monix-http4s-ember_3 (>=0.17.0 <=0.19.3) +77 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_3 (>=0.22.14 <=0.23.30)

org.http4s:http4s-ember-server3 MAVEN version =0.22.14, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.1, =0.12.1, =7.1.0, =0.22.0, =1.9.3, =6.9.0, =1.0.0, =1.0.0, =0.4.1, =v0.2.0-rc2 and more Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019550...

io.chrisdavenport:http4s-grpc-google-cloud-alloydb-v1_native0.4_2.13 (>=0.1.0+0.0.1 <=0.22.0+0.0.6), io.chrisdavenport:http4s-grpc-google-cloud-bigqueryconnection-v1_native0.4_2.13 (>=2.14.0+0.0.1 <=2.47.0+0.0.6) +21 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_native0.4_2.13 (>=0.23.18 <=0.23.30)

org.http4s:http4s-ember-servernative0.42.13 MAVEN version =0.23.18, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =3.9.0+0.0.1, =0.106.0+0.0.1, =0.127.0+0.0.6 - io.chrisdavenport:htt...

io.github.linyxus:papiers-core_3 (=0.2.0), io.taig:taigless-storage-http4s-server_3 (=0.15.0) +3 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_3 (>=1.0.0-M29 <=1.0.0-M44)

org.http4s:http4s-ember-server3 MAVEN version =1.0.0-M29, =0.1, =0.1, =0.9.0, =0.9.4 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019550...

org.http4s:http4s-ember-client_native0.4_3 (>=1.0.0-M37 <=1.0.0-M44), org.http4s:http4s-ember-server_native0.4_3 (>=1.0.0-M37 <=1.0.0-M44) potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_native0.4_3 (>=1.0.0-M37 <=1.0.0-M44)

org.http4s:http4s-ember-corenative0.43 MAVEN version =1.0.0-M37, =1.0.0-M37, =1.0.0-M37, =1.0.0-M44 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019564...

com.47deg:energy-monitor-persistence-app_sjs1_3 (=0.2.0), com.disneystreaming.smithy4s:smithy4s-tests_sjs1_3 (>=0.12.1 <=0.16.1) +25 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_sjs1_3 (>=0.23.10 <=0.23.30)

org.http4s:http4s-ember-serversjs13 MAVEN version =0.23.10, =0.12.1, =0.1.0, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =3.9.0+0.0.1, =3.21.4+0.0.6 - io.chrisdavenport:http4s-grpc-g...

io.jobial:scase-http4s_2.13 (>=2.1.0 <=2.2.2), io.jobial:scase_2.13 (>=2.1.0 <=2.2.2) +1 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_2.13 (>=1.0.0-M30 <=1.0.0-M37)

org.http4s:http4s-ember-server2.13 MAVEN version =1.0.0-M30, =2.1.0, =2.1.0, =2.2.2 - io.taig:taigless-storage-http4s-server2.13 =0.15.0 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019553...

io.chrisdavenport:shellserve_sjs1_2.12 (=0.0.2) potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_sjs1_2.12 (=0.23.12)

org.http4s:http4s-ember-serversjs12.12 MAVEN version =0.23.12 is affected by a known vulnerability. The following packages have a transitive dependency on org.http4s:http4s-ember-serversjs12.12 and may be impacted: - io.chrisdavenport:shellservesjs12.12 =0.0.2 Source cves: CVE-2025-59822 Source...

org.http4s:http4s-ember-client_native0.4_2.13 (>=1.0.0-M37 <=1.0.0-M44), org.http4s:http4s-ember-server_native0.4_2.13 (>=1.0.0-M37 <=1.0.0-M44) potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_native0.4_2.13 (>=1.0.0-M37 <=1.0.0-M44)

org.http4s:http4s-ember-corenative0.42.13 MAVEN version =1.0.0-M37, =1.0.0-M37, =1.0.0-M37, =1.0.0-M44 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019562...

com.kubukoz:spotify-next_native0.4_3 (>=1.9.3 <=1.11.3), io.chrisdavenport:http4s-grpc-google-cloud-alloydb-v1_native0.4_3 (>=0.1.0+0.0.1 <=0.22.0+0.0.6) +22 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_native0.4_3 (>=0.23.16 <=0.23.30)

org.http4s:http4s-ember-servernative0.43 MAVEN version =0.23.16, =1.9.3, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =3.9.0+0.0.1, =0.106.0+0.0.1, =0.127.0+0.0.6 -...

com.avast:sst-bundle-monix-http4s-ember_2.12 (>=0.17.0 <=0.19.3), com.avast:sst-bundle-zio-http4s-ember_2.12 (>=0.17.0 <=0.19.3) +25 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_2.12 (>=0.22.10 <=0.23.30)

org.http4s:http4s-ember-server2.12 MAVEN version =0.22.10, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.0-3-cca5341b, =0.12.1, =7.1.0, =0.20.4, =1.6.29, =1.6.29, =1.6.29, =0.8.0-rab.1, =0.1.0, =0.14.0-M2 and more Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019551...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...

co.topl:brambl-cli_2.13 (>=2.0.0-beta1 <=2.0.0-beta6), com.47deg:energy-monitor-persistence-app_2.13 (=0.2.0) +70 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_2.13 (>=0.22.10 <=0.23.30)

org.http4s:http4s-ember-server2.13 MAVEN version =0.22.10, =2.0.0-beta1, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.0-3-cca5341b, =0.12.1, =7.1.0, =0.1.0, =0.20.4, =0.0.1, =1.0.0, =1.0.0, =5.0.0 - com.snowplowanalytics:loaders-common2.13 =0.1.0-M5 and more Source cves: CVE-2025-59822 Source advisor...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...

com.47deg:energy-monitor-persistence-app_sjs1_2.13 (=0.2.0), com.disneystreaming.smithy4s:smithy4s-tests_sjs1_2.13 (>=0.12.1 <=0.16.1) +25 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_sjs1_2.13 (>=0.23.10 <=0.23.30)

org.http4s:http4s-ember-serversjs12.13 MAVEN version =0.23.10, =0.12.1, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =3.9.0+0.0.1, =3.21.4+0.0.6 - io.chrisdavenport:http4s-grpc-google-cloud...

org.creativescala:krop-core_sjs1_3 (>=0.6.0 <=0.9.4) potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_sjs1_3 (>=1.0.0-M40 <=1.0.0-M44)

org.http4s:http4s-ember-serversjs13 MAVEN version =1.0.0-M40, =0.6.0, =0.9.4 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019554...

io.taig:taigless-storage-http4s-server_2.13 (=0.15.0), org.http4s:http4s-ember-client_2.13 (>=1.0.0-M4 <=1.0.0-M44) +1 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_2.13 (>=1.0.0-M37 <=1.0.0-M44)

org.http4s:http4s-ember-core2.13 MAVEN version =1.0.0-M37, =1.0.0-M4, =1.0.0-M4, =1.0.0-M44 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019559...

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

Impact When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU...