HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the HTTP trailer section in the parse function. An attacker can bypass security controls, launch targeted attacks against users, or poison web caches by crafting specially formed HTTP...

com.armanbilge:sbt-bundlemon_2.12_1.0 (=0.1.4), com.avast:sst-bundle-monix-http4s-ember_2.12 (>=0.17.0 <=0.19.3) +66 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_2.12 (>=0.10.0-M10 <=0.23.30)

org.http4s:http4s-ember-core2.12 MAVEN version =0.10.0-M10, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.0-3-cca5341b, =0.12.1, =7.1.0, =0.21.0, =0.20.4, =0.21.0, =0.21.0, =0.21.0, =0.22.1 and more Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019566...

dev.i10416:slackapis-core_sjs1_2.13 (>=0.0.1 <=0.0.2), org.http4s:http4s-ember-client_sjs1_2.13 (>=1.0.0-M24 <=1.0.0-M44) +1 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_sjs1_2.13 (>=1.0.0-M24 <=1.0.0-M44)

org.http4s:http4s-ember-coresjs12.13 MAVEN version =1.0.0-M24, =0.0.1, =1.0.0-M24, =1.0.0-M24, =1.0.0-M44 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019561...

co.topl:brambl-cli_2.13 (>=2.0.0-beta1 <=2.0.0-beta6), com.47deg:energy-monitor-persistence-app_2.13 (=0.2.0) +70 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_2.13 (>=0.22.10 <=0.23.30)

org.http4s:http4s-ember-server2.13 MAVEN version =0.22.10, =2.0.0-beta1, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.0-3-cca5341b, =0.12.1, =7.1.0, =0.1.0, =0.20.4, =0.0.1, =1.0.0, =1.0.0, =5.0.0 - com.snowplowanalytics:loaders-common2.13 =0.1.0-M5 and more Source cves: CVE-2025-59822 Source advisor...

co.topl:bifrost-daml-broker_2.13 (=1.0.0.beta-2), co.topl:brambl-cli_2.13 (>=2.0.0-beta1 <=2.0.0-beta6) +120 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_2.13 (>=0.10.0-M10 <=0.23.30)

org.http4s:http4s-ember-core2.13 MAVEN version =0.10.0-M10, =2.0.0-beta1, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.0-3-cca5341b, =0.12.1, =7.1.0, =0.1.0, =0.21.0, =0.20.4, =0.22.1 and more Source cves: CVE-2025-59822 Source advisory: OSV:GHSA-WCWH-7GFW-5WRR...

com.47deg:energy-monitor-persistence-app_3 (=0.2.0), com.avast:sst-bundle-monix-http4s-ember_3 (>=0.17.0 <=0.19.3) +163 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_3 (>=0.22.0-M8 <=0.23.30)

org.http4s:http4s-ember-core3 MAVEN version =0.22.0-M8, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.1, =1.0.0, =0.12.1, =7.1.0, =0.22.0, =0.22.0, =0.22.1 and more Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019560...

com.47deg:energy-monitor-persistence-app_3 (=0.2.0), com.avast:sst-bundle-monix-http4s-ember_3 (>=0.17.0 <=0.19.3) +163 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_3 (>=0.22.0-M8 <=0.23.30)

org.http4s:http4s-ember-core3 MAVEN version =0.22.0-M8, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.17.0, =0.0.1, =1.0.0, =0.12.1, =7.1.0, =0.22.0, =0.22.0, =0.22.1 and more Source cves: CVE-2025-59822 Source advisory: OSV:GHSA-WCWH-7GFW-5WRR...

dev.hnaderi:scala-k8s-http4s-ember_native0.4_2.13 (>=0.11.0 <=0.25.0), dev.hnaderi:scala-k8s-http4s_native0.4_2.13 (>=0.4.0 <=0.10.0) +33 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_native0.4_2.13 (>=0.23.16 <=0.23.30)

org.http4s:http4s-ember-corenative0.42.13 MAVEN version =0.23.16, =0.11.0, =0.4.0, =0.0.1, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =1.44.0+0.0.6 - io.chrisdavenport:http...

io.taig:taigless-storage-http4s-server_2.13 (=0.15.0), org.http4s:http4s-ember-client_2.13 (>=1.0.0-M4 <=1.0.0-M44) +1 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_2.13 (>=1.0.0-M37 <=1.0.0-M44)

org.http4s:http4s-ember-core2.13 MAVEN version =1.0.0-M37, =1.0.0-M4, =1.0.0-M4, =1.0.0-M44 Source cves: CVE-2025-59822 Source advisory: SNYK:JAVA-ORGHTTP4S-13019559...

com.47deg:energy-monitor-persistence-app_sjs1_2.13 (=0.2.0), com.disneystreaming.smithy4s:smithy4s-tests_sjs1_2.13 (>=0.12.1 <=0.16.1) +25 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-server_sjs1_2.13 (>=0.23.10 <=0.23.30)

org.http4s:http4s-ember-serversjs12.13 MAVEN version =0.23.10, =0.12.1, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =2.20.0+0.0.1, =1.11.0+0.0.1, =3.9.0+0.0.1, =3.21.4+0.0.6 - io.chrisdavenport:http4s-grpc-google-cloud...

com.47deg:energy-monitor-persistence-app_sjs1_2.13 (=0.2.0), com.disneystreaming.smithy4s:smithy4s-tests_sjs1_2.13 (>=0.12.1 <=0.16.1) +43 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_sjs1_2.13 (>=0.23.10 <=0.23.30)

org.http4s:http4s-ember-coresjs12.13 MAVEN version =0.23.10, =0.12.1, =0.11.0, =0.4.0, =0.1.0, =0.1.0, =0.0.1, =0.1.0+0.0.1, =2.14.0+0.0.1, =0.9.0+0.0.1, =2.12.0+0.0.1, =0.15.0+0.0.1, =2.13.0+0.0.1, =2.34.0+0.0.1, =3.6.0+0.0.6 - io.chrisdavenport:http4s-grp...

Http4s 安全漏洞

Http4s is an open source streaming HTTP server for Scala from Http4s Open Source. A security vulnerability exists in Http4s versions 1.0.0-M1 through 1.0.0-M45 and prior to 0.23.31, which stems from mishandling of the HTTP trailer section and could lead to an HTTP request entrapment technique...

PT-2025-39209

Name of the Vulnerable Software and Affected Versions Http4s versions 1.0.0-M1 through 1.0.0-M44 Http4s versions prior to 0.23.31 Description Http4s is susceptible to HTTP Request Smuggling because of incorrect handling of the HTTP trailer section. This can allow attackers to circumvent front-end...

GHSA-RRW2-PX9J-QFFJ FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

Impact When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU...

CVE-2021-21294

Http4s http4s-blaze-server is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its...

CVE-2021-21293

blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a...

CVE-2021-32643

Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns FNone, indicating no resource, if url.getFile is a...

CVE-2020-5280

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalizatio...

com.alejandrohdezma:scala-steward-core_2.13 (>=0.11.0 <=0.11.1), com.github.tototoshi:mvnsearch_2.13 (>=0.5.0 <=0.5.1) +136 more potentially affected by CVE-2023-22465 via org.http4s:http4s-core_2.13 (>=1.0.0-M10 <=1.0.0-M37)

org.http4s:http4s-core2.13 MAVEN version =1.0.0-M10, =0.11.0, =0.5.0, =1.3.0, =0.9.0-M2, =0.9.0-M2, =5.0.0-RC1, =5.0.0-RC1, =3.3.0, =0.4.1, =0.2.0, =0.3.0, =0.2.0, =0.2.1 and more Source cves: CVE-2023-22465 Source advisory: OSV:GHSA-54W6-VXFH-FW7F...

GHSA-54W6-VXFH-FW7F Http4s improperly parses User-Agent and Server headers

Impact The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. v0.21.x scala val unsafe: OptionUser-Agent = req.headers.getUser-Agent...