{"id":"JLSEC-2026-624","summary":"HTTP/2 client HPACK desynchronization via header blocks for unknown streams in HTTP.jl","details":"### Description\n\nThe HTTP/2 client's `_process_incoming_frame!` dropped HEADERS/CONTINUATION frames for stream ids absent from `conn.streams` without passing the header block through the connection's HPACK decoder. Because HPACK's dynamic table is connection-scoped and mutated as a side effect of decoding each header block (RFC 7541 §2.3.2/§4), skipping even one block permanently desynchronizes the client decoder from the server encoder, causing later indexed header references on other multiplexed streams to resolve to wrong name/value pairs or throw \"HPACK index out of range\". This is reachable by a malicious server or by a benign race where trailers arrive after a stream is unregistered. The client also lacked the CONTINUATION sequencing enforcement the server already performed.\n\n### Impact\n\nA malicious server (or a race condition) could corrupt HPACK header decoding across all multiplexed streams on a client connection, producing incorrect header values or connection errors.\n\n### Patches\n\nFixed in HTTP.jl v2.4.0. Header blocks for unknown/closed streams are now accumulated (bounded by `max_header_block_bytes`) across HEADERS+CONTINUATION and HPACK-decoded purely for the dynamic-table side effect before being discarded, and a CONTINUATION sequencing guard (RFC 7540 §6.10) is enforced on the client read loop.\n\nReported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.","aliases":["ANT-2026-SCEWC4G3"],"modified":"2026-06-23T17:41:30.479737Z","published":"2026-06-23T12:59:32.708Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/commit/c2083a2ec9f903439abf349a3ab1e285a8e31795"},{"type":"WEB","url":"https://github.com/JuliaWeb/HTTP.jl/pull/1316"}],"affected":[{"package":{"name":"HTTP","ecosystem":"Julia","purl":"pkg:julia/HTTP?uuid=cd3eb016-35fb-5094-929b-558a96fad6f3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-624.json"}}],"schema_version":"1.7.5"}