{"id":"JLSEC-2026-616","summary":"HTTP/1 client request smuggling via CR/LF in method, target, or host in HTTP.jl","details":"### Description\n\nThe HTTP/1 client serialized `request.method` and `request.target` (and, in forward-proxy absolute-form, the host) verbatim onto the wire with no CR/LF/CTL filtering; the only target validator was wired solely into the server parse path. A caller passing an attacker-influenced URL or method to the client could embed `\\r\\n` in the method, path, or query to inject arbitrary request headers, or `\\r\\n\\r\\n` to smuggle a second pipelined request onto a pooled keep-alive (or proxy-forwarded) connection. The HTTP/2 client already rejected CR/LF in `:path`, so this was an HTTP/1-specific omission.\n\n### Impact\n\nCR/LF injection in client request start lines could lead to header injection and request smuggling on reused or proxied connections.\n\n### Patches\n\nFixed in HTTP.jl v2.4.0. A new `_validate_request_start_line!` validates the method against the RFC 7230 token grammar, delegates target validation to the existing `_validate_request_target!`, and rejects control bytes in a supplied host. It is wired into all HTTP/1 wire start-line writers (origin-form, CONNECT authority-form, asterisk-form, websocket, and forward-proxy absolute-form) before any bytes are emitted, rejecting offending requests with a `ParseError`.\n\nReported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.","aliases":["ANT-2026-23PZ587V","ANT-2026-5W0B63VQ","ANT-2026-8WT2MXD5","ANT-2026-P0SGS9PG"],"modified":"2026-06-23T17:30:14.366081505Z","published":"2026-06-23T12:59:32.708Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/commit/3f435e365465453fa5f65f31353dfe0fbf8d532e"},{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/pull/1316"}],"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-616.json"}}],"schema_version":"1.7.5"}