{"id":"JLSEC-2026-618","summary":"HTTP/1 request smuggling via bare-LF, lenient chunk size, and TE/CL handling in HTTP.jl server","details":"### Description\n\nThe HTTP/1 server request parser had three framing primitives that could make HTTP.jl disagree with a fronting proxy about message boundaries on a reused keep-alive connection. (1) `_readline_crlf` tolerated a bare `LF` on its buffered fast path but required `CRLF` on the slow path, so the accepted header grammar depended on TCP segmentation and an absorbed bare `LF` could silently merge headers. (2) `_parse_chunk_size` delegated to `Base.parse(Int64, ...; base=16)`, which tolerates a leading sign, a `0x` prefix, and whitespace padding (including a trailing bare `CR`). (3) For HTTP/1.0, `Transfer-Encoding` was stripped with a fallback to `Content-Length` while the connection could stay open, and a request carrying both `Transfer-Encoding` and `Content-Length` was silently treated as chunked.\n\n### Impact\n\nThese parsing discrepancies enabled HTTP request smuggling past a fronting proxy on pooled/keep-alive connections.\n\n### Patches\n\nFixed in HTTP.jl v2.4.0. Both line-reading paths now require a strict `CRLF` and reject a bare `LF`; chunk sizes use a strict byte-by-byte `1*HEXDIG` parser (rejecting signs, prefixes, and whitespace); HTTP/1.0 messages carrying `Transfer-Encoding` are rejected; and any request carrying both `Transfer-Encoding` and `Content-Length` is rejected. All rejections surface as a 400 with the connection force-closed so no ambiguous trailing bytes remain.\n\nReported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.","aliases":["ANT-2026-CN279YCX","ANT-2026-MG2WTZ8Z","ANT-2026-SRPX7DN1","ANT-2026-YD5QTQDZ"],"modified":"2026-06-23T17:30:14.962334301Z","published":"2026-06-23T12:59:32.708Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/commit/2091b63e0a71c177625385bdb819345a69487342"},{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/pull/1316"}],"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-618.json"}}],"schema_version":"1.7.5"}