{"id":"JLSEC-2026-621","summary":"Thread-safety and out-of-bounds reads in the HTTP.jl content-type sniffer","details":"### Description\n\nThe content-type sniffer had two memory/concurrency bugs. Number sniffing in `isjson` stored the `strtod` end-pointer out-parameter in a shared module-global `Vector{Ptr{UInt8}}`; concurrent `sniff` calls on a multithreaded server raced on that single cell between the `ccall` and the subsequent read, producing a non-deterministic consumed length and parse result an attacker could use to influence content-type classification. The bytes handed to `jl_strtod_c` were also not NUL-terminated, so `strtod` could read past the provided buffer. Separately, the MP4 `ftyp` matcher iterated comparison windows under `@inbounds` with a loop bound that, when `boxsize == length(data)`, read up to three bytes past the end of the buffer.\n\n### Impact\n\nOn a multithreaded server, attacker-influenced input could non-deterministically affect content-type classification, and crafted buffers could trigger out-of-bounds heap reads (crash or potential information disclosure).\n\n### Patches\n\nFixed in HTTP.jl v2.4.0. The shared global is removed in favor of a per-call `Ref`; numeric input is copied into a freshly allocated NUL-terminated buffer so `strtod` is bounded; and the MP4 matcher's loop upper bound is clamped so every comparison window lies fully within the buffer.\n\nReported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.","aliases":["ANT-2026-07KFWYV3","ANT-2026-5FMZ73VG","ANT-2026-9PKP3RJA"],"modified":"2026-06-23T17:30:17.022515104Z","published":"2026-06-23T12:59:32.708Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/commit/f9cd96272b4a232026059177e440da5355e64ef6"},{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/pull/1316"}],"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-621.json"}}],"schema_version":"1.7.5"}