{"id":"JLSEC-2026-623","summary":"Insufficient HTTP/2 pseudo-header and Host/:authority validation in HTTP.jl server","details":"### Description\n\nThe HTTP/2 server's request validator passed only `:method`, `:path`, and `:authority` through a normalizer that rejects CR/LF/CTL but permits SP/HTAB and applies no host or token grammar. As a result a `:method` such as `\"GET /admin?x=\"` was accepted, `:path` could carry interior whitespace, and `:authority` was never host-validated; on HTTP/1 downgrade these were written verbatim into the request line, enabling request smuggling past path-based ACLs. Separately, a request could carry both a benign `:authority` and a mismatched `Host` header, which the HTTP/1 serializer forwarded verbatim, so a proxy could authorize on `:authority` while forwarding a hostile `Host` to an origin.\n\n### Impact\n\nThese gaps enabled request smuggling past path-based access controls and authority/Host confusion when HTTP/2 requests were downgraded or forwarded.\n\n### Patches\n\nFixed in HTTP.jl v2.4.0. `:method` must match the RFC 9110 token charset, `:path` must not contain interior SP/HTAB, `:authority` must pass the host validator, and — per RFC 9113 §8.3.1 — when `:authority` is present every `Host` header value (checking all entries, not just the first) must equal it, otherwise the request is rejected as malformed.\n\nReported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.","aliases":["ANT-2026-565042FN","ANT-2026-CWYA87HX"],"modified":"2026-06-23T17:30:17.119607727Z","published":"2026-06-23T12:59:32.708Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/commit/b4fd3f44047f0839d0f5086ca4f767d7b56195a6"},{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/pull/1316"}],"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-623.json"}}],"schema_version":"1.7.5"}