16 matches found
HTTP Request Smuggling
Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...
HTTP Request Smuggling
Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...
io.github.linyxus:papiers-core_3 (=0.2.0), io.taig:taigless-storage-http4s-server_3 (=0.15.0) +3 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_3 (>=1.0.0-M29 <=1.0.0-M44)
org.http4s:http4s-ember-server3 MAVEN version =1.0.0-M29, =0.1, =0.1, =0.9.0, =0.9.4 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019550...
com.47deg:energy-monitor-persistence-app_3 (=0.2.0), com.avast:sst-bundle-monix-http4s-ember_3 (>=0.17.0 <=0.19.3) +77 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_3 (>=0.22.14 <=0.23.30)
org.http4s:http4s-ember-server3 MAVEN version =0.22.14, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.1, =0.12.1, =7.1.0, =0.22.0, =1.9.3, =6.9.0, =1.0.0, =1.0.0, =0.4.1, =v0.2.0-rc2 and more Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019550...
io.chrisdavenport:shellserve_sjs1_2.12 (=0.0.2) potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_sjs1_2.12 (=0.23.12)
org.http4s:http4s-ember-serversjs12.12 MAVEN version =0.23.12 is affected by a known vulnerability. The following packages have a transitive dependency on org.http4s:http4s-ember-serversjs12.12 and may be impacted: - io.chrisdavenport:shellservesjs12.12 =0.0.2 Source cves: CVE-2025-59822 Source...
io.jobial:scase-http4s_2.13 (>=2.1.0 <=2.2.2), io.jobial:scase_2.13 (>=2.1.0 <=2.2.2) +1 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_2.13 (>=1.0.0-M30 <=1.0.0-M37)
org.http4s:http4s-ember-server2.13 MAVEN version =1.0.0-M30, =2.1.0, =2.1.0, =2.2.2 - io.taig:taigless-storage-http4s-server2.13 =0.15.0 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019553...
com.kubukoz:spotify-next_native0.4_3 (>=1.9.3 <=1.11.3), io.chrisdavenport:http4s-grpc-google-cloud-alloydb-v1_native0.4_3 (>=0.1.0+0.0.1 <=0.22.0+0.0.6) +22 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_native0.4_3 (>=0.23.16 <=0.23.30)
org.http4s:http4s-ember-servernative0.43 MAVEN version =0.23.16, =1.9.3, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =3.9.0+0.0.1, =0.106.0+0.0.1, =0.127.0+0.0.6 -...
com.47deg:energy-monitor-persistence-app_sjs1_3 (=0.2.0), com.disneystreaming.smithy4s:smithy4s-tests_sjs1_3 (>=0.12.1 <=0.16.1) +25 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_sjs1_3 (>=0.23.10 <=0.23.30)
org.http4s:http4s-ember-serversjs13 MAVEN version =0.23.10, =0.12.1, =0.1.0, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =3.9.0+0.0.1, =3.21.4+0.0.6 - io.chrisdavenport:http4s-grpc-g...
org.http4s:http4s-ember-client_native0.4_2.13 (>=1.0.0-M37 <=1.0.0-M44), org.http4s:http4s-ember-server_native0.4_2.13 (>=1.0.0-M37 <=1.0.0-M44) potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_native0.4_2.13 (>=1.0.0-M37 <=1.0.0-M44)
org.http4s:http4s-ember-corenative0.42.13 MAVEN version =1.0.0-M37, =1.0.0-M37, =1.0.0-M37, =1.0.0-M44 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019562...
com.avast:sst-bundle-monix-http4s-ember_2.12 (>=0.17.0 <=0.19.3), com.avast:sst-bundle-zio-http4s-ember_2.12 (>=0.17.0 <=0.19.3) +25 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_2.12 (>=0.22.10 <=0.23.30)
org.http4s:http4s-ember-server2.12 MAVEN version =0.22.10, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.0-3-cca5341b, =0.12.1, =7.1.0, =0.20.4, =1.6.29, =1.6.29, =1.6.29, =0.8.0-rab.1, =0.1.0, =0.14.0-M2 and more Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019551...
HTTP Request Smuggling
Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...
co.topl:brambl-cli_2.13 (>=2.0.0-beta1 <=2.0.0-beta6), com.47deg:energy-monitor-persistence-app_2.13 (=0.2.0) +70 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_2.13 (>=0.22.10 <=0.23.30)
org.http4s:http4s-ember-server2.13 MAVEN version =0.22.10, =2.0.0-beta1, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.0-3-cca5341b, =0.12.1, =7.1.0, =0.1.0, =0.20.4, =0.0.1, =1.0.0, =1.0.0, =5.0.0 - com.snowplowanalytics:loaders-common2.13 =0.1.0-M5 and more Source cves: CVE-2025-59822 Source advisor...
com.47deg:energy-monitor-persistence-app_sjs1_2.13 (=0.2.0), com.disneystreaming.smithy4s:smithy4s-tests_sjs1_2.13 (>=0.12.1 <=0.16.1) +25 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_sjs1_2.13 (>=0.23.10 <=0.23.30)
org.http4s:http4s-ember-serversjs12.13 MAVEN version =0.23.10, =0.12.1, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =3.9.0+0.0.1, =3.21.4+0.0.6 - io.chrisdavenport:http4s-grpc-google-cloud...
Unbounded connection acceptance in http4s-blaze-server
Impact blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an...
Unbounded connection acceptance leads to file handle exhaustion
Impact All servers running blaze-core = 0.14.14, including blaze-http and http4s-blaze-server users, are affected. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request...
PT-2021-14396 · Unknown +2 · Blaze-Core +5
Name of the Vulnerable Software and Affected Versions: http4s versions prior to 0.21.17 http4s versions prior to 0.22.0-M2 http4s versions prior to 1.0.0-M14 Description: The issue is related to the blaze-core library, which accepts connections unboundedly on its selector pool. This can lead to a...