org.http4s:http4s-ember-core
Moderate fix2 remedies
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*
Moderate fix2 remedies
- < 0.23.31
- >= 1.0.0-M1, < 1.0.0-M45
Http4s Trailer Header Handling Vulnerability Leading to HTTP Request Smuggling
Vulnerability
Patched
A vulnerability allowing HTTP request smuggling has been identified in Http4s, a Scala library for HTTP services. This issue affects versions 1.0.0-M1 prior to 1.0.0-M45, as well as versions prior to 0.23.31. The vulnerability arises from improper management of HTTP trailer headers, which can enable attackers to bypass security controls of front-end servers, conduct targeted attacks on active users, and disrupt web caching. Exploitation requires the web application to be behind a reverse proxy that forwards trailer headers.
Impact
Exploitation of this vulnerability allows for HTTP request smuggling, where one request is misinterpreted as two. This can lead to bypassing security controls, attacking users, and web cache poisoning.
Reproduction
The vulnerability can be reproduced by sending a chunked HTTP request that includes trailer headers. The server will parse the request incorrectly, leading to the smuggling of another request, which can be verified by observing the server's response.
Remediation
Users can update to Http4s versions 1.0.0-M45 or 0.23.31, where this vulnerability has been patched.
Added: Sep 23, 2025, 7:17 PM
Updated: Sep 23, 2025, 8:18 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
5.0exploitability
7.6remediation
7.7relevance
0.6threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.