We found results for “


Good to know:


Date: September 21, 2021

http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

Language: SCALA

Severity Score

Severity Score

Weakness Type (CWE)



Server-Side Request Forgery (SSRF)


Top Fix


Upgrade Version

Upgrade to version org.http4s:http4s-blaze-client_2.12:0.21.29, 0.22.5, 0.23.4, 1.0.0, org.http4s:http4s-blaze-client_2.13:0.21.29, 0.22.5, 0.23.4, 1.0.0, org.http4s:http4s-blaze-client_3:0.22.5, 0.23.4, 1.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): NONE


Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us