{"id":"JLSEC-2026-622","summary":"Predictable WebSocket masking key and handshake nonce in HTTP.jl client","details":"### Description\n\nThe WebSocket client masking key (`ws_send_frame!`) and the `Sec-WebSocket-Key` handshake nonce (`ws_random_handshake_key`) were generated with `rand(UInt8, n)`, which draws from the task-local Xoshiro256++ PRNG. Xoshiro is not cryptographically secure: its internal state can be recovered from a short run of observed outputs, and every outbound client frame exposes 4 mask bytes on the wire. An on-path observer could therefore recover the RNG state and predict all future masking keys, defeating the RFC 6455 §5.3 anti-cache-poisoning purpose of masking.\n\n### Impact\n\nPredictable masking keys could let an on-path attacker who also supplies payload craft wire bytes that a non-conformant transparent proxy parses and caches (request/response smuggling and cache poisoning).\n\n### Patches\n\nFixed in HTTP.jl v2.4.0. A module-level CSPRNG (`const WS_CSPRNG = Random.RandomDevice()`) now generates both the 4-byte masking key and the 16-byte handshake nonce. The wire format and public API are unchanged.\n\nReported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.","aliases":["ANT-2026-90M07PW7","ANT-2026-K6WWQH2N","ANT-2026-ZQ6ARSMP"],"modified":"2026-06-23T17:30:17.122156332Z","published":"2026-06-23T12:59:32.708Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/commit/5763addcbb970c8c7ca170abea56e8125526c99e"},{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/pull/1316"}],"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-622.json"}}],"schema_version":"1.7.5"}