CVE-2025-52479

HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack. Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17, and users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix. As a workaround, manually validate any URIs before passing them on to functions in this package.

CVSS

No CVSS.

References

Link	Resource
https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-4g68-4pxg-mw93
https://github.com/JuliaWeb/URIs.jl/pull/66

Configurations

No configuration.

History

26 Jun 2025, 18:57

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-25 16:15

Updated : 2025-06-26 18:57

NVD link : CVE-2025-52479

Mitre link : CVE-2025-52479

CVE.ORG link : CVE-2025-52479

JSON object : View

Products Affected

No product.

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

{"id": "CVE-2025-52479", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-25T16:15:27.017", "references": [{"url": "https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-4g68-4pxg-mw93", "source": "security-advisories@github.com"}, {"url": "https://github.com/JuliaWeb/URIs.jl/pull/66", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-93"}, {"lang": "en", "value": "CWE-113"}]}], "descriptions": [{"lang": "en", "value": "HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack. Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17, and users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix. As a workaround, manually validate any URIs before passing them on to functions in this package."}, {"lang": "es", "value": "HTTP.jl proporciona funcionalidad de cliente y servidor HTTP para Julia, y URIs.jl analiza y trabaja con Identificadores Uniformes de Recursos (URI). Las versiones anteriores a URIs.jl 1.6.0 y 1.10.17 de HTTP.jl permiten la construcci\u00f3n de URIs con caracteres CR/LF. Si la entrada del usuario no se escapa ni se protege de otra forma, puede provocar un ataque de inyecci\u00f3n CRLF. Los usuarios de HTTP.jl deben actualizar inmediatamente a HTTP.jl v1.10.17 y URIs.jl v1.6.0. La comprobaci\u00f3n de URIs v\u00e1lidos ahora se encuentra en el paquete URI.jl, y la \u00faltima versi\u00f3n de HTTP.jl incorpora esta correcci\u00f3n. Como soluci\u00f3n alternativa, valide manualmente cualquier URI antes de pasarlo a las funciones de este paquete."}], "lastModified": "2025-06-26T18:57:43.670", "sourceIdentifier": "security-advisories@github.com"}