Advisories for Maven/Org.http4s/Http4s-Server_2.11 package

http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (Header.nameå Header values (Header.value) Status reason phrases (Status.reason) URI paths (Uri.Path) URI authority registered names (URI.RegName) (through 0.21) The following backends render invalid carriage return, newline, or null characters in an unsafe fashion. | | blaze-server | ember-server | blaze-client | ember-client | jetty-client | |:—————|:————-|:————-|:————-|————–|————–| | …

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original CORS implementation and CORSConfig are deprecated. See the GitHub GHSA for more …