JLSEC-2026-614 WebSocket default Origin check ignores scheme and port in HTTP.jl

Description The default WebSocket Origin validator originalloweddefault only enforced the host component of the same-origin tuple. It never checked the Origin's scheme, and when the request Host header carried no explicit port the norm for default-port 80/443 servers, where browsers omit the port...

CVE-2025-61689

CVE-2025-61689 affects the Julia HTTP client/server library HTTP.jl. Prior to version 1.10.19, it failed to validate illegal characters in header names/values, enabling CRLF-based header injection and response splitting. Reported impact includes cache poisoning, XSS, and session fixation. The iss...