JLSEC-2026-622 Predictable WebSocket masking key and handshake nonce in HTTP.jl client

Description The WebSocket client masking key wssendframe! and the Sec-WebSocket-Key handshake nonce wsrandomhandshakekey were generated with randUInt8, n, which draws from the task-local Xoshiro256++ PRNG. Xoshiro is not cryptographically secure: its internal state can be recovered from a short r...

JLSEC-2026-611 Unbounded HTTP/2 concurrent streams and Rapid Reset denial of service in HTTP.jl server

Description The HTTP.jl HTTP/2 server advertised an empty initial SETTINGS frame, leaving SETTINGSMAXCONCURRENTSTREAMS effectively unlimited, and the HEADERS code path allocated per-stream state, a send-window entry, and a Threads.@spawned handler with no check on the number of open streams...

JLSEC-2026-621 Thread-safety and out-of-bounds reads in the HTTP.jl content-type sniffer

Description The content-type sniffer had two memory/concurrency bugs. Number sniffing in isjson stored the strtod end-pointer out-parameter in a shared module-global VectorPtrUInt8; concurrent sniff calls on a multithreaded server raced on that single cell between the ccall and the subsequent rea...

CVE-2025-61689 HTTP.jl vulnerable to Header injection/Response splitting via header construction.

HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting and header...

CVE-2025-61689 HTTP.jl vulnerable to Header injection/Response splitting via header construction.

HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting and header...