The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers.
http4s is an open source scala interface for HTTP. Header values (Header.value), Status reason phrases (Status.reason), URI paths (Uri.Path), URI authority registered names (URI.RegName).
The original CORS implementation and CORSConfig are deprecated.
Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns F[None], indicating no resource, if url.getFile is a directory, without first checking the scheme or authority of the URL. If a URL connection to the scheme and URL …
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s has a vulnerability which can lead to a denial-of-service.
http4s has a local file inclusion vulnerability due to URI normalization being applied incorrectly. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService.