HTTP.jl and URIs.jl CRLF Injection Vulnerability

A CRLF injection vulnerability has been identified in the URIs.jl and HTTP.jl packages for Julia. This issue arises from the ability to construct URIs that include CR/LF characters, which can be exploited to inject headers or data into the request body, potentially causing HTTP response splitting. The vulnerability exists in HTTP.jl versions through 1.10.16 and URIs.jl versions prior to 1.6.0.

Impact

Exploitation of this vulnerability allows for CRLF injection, enabling the injection of headers or data into the request body, which can cause HTTP response splitting.

Reproduction

To reproduce this vulnerability, send a GET request using the HTTP.jl package that includes CR/LF characters in the URI. The server will receive the request with the injected header or data, demonstrating the CRLF injection.

Remediation

Users of HTTP.jl should upgrade to version 1.10.17. Users of URIs.jl should upgrade to version 1.6.0. The latest version of HTTP.jl includes the necessary fix by requiring URIs.jl version 1.6 or later.