HTTP.jl Header Injection and Response Splitting Vulnerability

A vulnerability in HTTP.jl, a Julia HTTP client and server library, prior to version 1.10.19, allowed header injection and response splitting by failing to validate header names and values for illegal characters. This CRLF-based injection could lead to various issues, including cache poisoning, cross-site scripting (XSS), and session fixation.

Impact

Exploitation of this vulnerability allows for HTTP response splitting and header injection, which can result in cache poisoning, cross-site scripting (XSS), session fixation, and more.

Reproduction

The vulnerability can be reproduced by sending HTTP requests with crafted header names or values that include illegal characters, such as carriage return and line feed (CRLF) sequences. This can be done using the HTTP.jl library in Julia by creating a server that handles requests and injecting headers that exploit the lack of validation. Proof of concept code is available in the GitHub advisory.

Remediation

Users are advised to update to HTTP.jl version 1.10.19, where this vulnerability has been fixed.