{"id":"JLSEC-2026-619","summary":"CR/LF injection in server-sent events (SSE) fields in HTTP.jl","details":"### Description\n\nThe server-side SSE serializer wrote the single-line fields `event`, `id`, and `retry` verbatim to the `text/event-stream` wire with no CR/LF filtering, and split the multi-line `data` field only on `\\n`, ignoring a bare `\\r` that is also a valid SSE line terminator. The `SSEEvent` constructor validated nothing. An application echoing attacker-influenced text into `id`/`event`/`retry` (for example a `Last-Event-ID` or correlation id) could embed CR/LF to forge additional SSE fields or a blank-line dispatch boundary, injecting complete events into every connected `EventSource` client.\n\n### Impact\n\nSSE event injection: an attacker could forge or inject arbitrary events delivered to all connected EventSource clients.\n\n### Patches\n\nFixed in HTTP.jl v2.4.0. The `SSEEvent` keyword constructor rejects CR/LF in `event`/`id` (and NUL in `id`, and a negative `retry`), `write(::SSEStream, ::SSEEvent)` re-validates as defense-in-depth, and `data` is split on `\\r\\n|\\r|\\n` so all line-break forms normalize to separate `data:` lines with no raw CR on the wire.\n\nReported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.","aliases":["ANT-2026-7273TGMW","ANT-2026-C4BNTGKK","ANT-2026-G8DXNHAE","ANT-2026-VATEAP9Z"],"modified":"2026-06-23T17:30:15.080674101Z","published":"2026-06-23T12:59:32.708Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/commit/e8616512ec0d75f9dcd632e01eb5a5e0361d4e07"},{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/pull/1316"}],"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-619.json"}}],"schema_version":"1.7.5"}