CVE-2025-52479
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-06-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Julia packages URIs.jl and HTTP.jl allowing the construction of URIs containing unescaped Carriage Return and Line Feed (CR/LF) characters. This flaw enables attackers to perform CRLF injection attacks by embedding CRLF sequences in URIs, which can manipulate HTTP headers or requests. The vulnerability arises because the packages did not properly validate or reject CRLF characters in URIs before version 1.6.0 for URIs.jl and 1.10.17 for HTTP.jl. The fix hardens URI parsing by rejecting CRLF characters and raising errors if such characters are detected, preventing injection attacks. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject arbitrary HTTP headers or data into requests by exploiting CRLF injection. For example, an attacker can insert custom headers into HTTP requests, potentially leading to HTTP response splitting attacks or manipulation of server behavior. This can compromise the integrity of HTTP communications and may be used to bypass security controls or perform further attacks. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by testing if your system or network allows URIs containing unescaped CR/LF characters that lead to CRLF injection. For example, you can attempt to send an HTTP request with embedded CRLF sequences in the URI to see if the server processes injected headers. A sample command in Julia is: ```julia import HTTP HTTP.get("http://localhost:1337/ HTTP/1.1 \r\n Foo: bar \r\n baz: ") ``` If the server accepts this and processes the injected header "Foo: bar", it indicates vulnerability to CRLF injection. Monitoring logs for unexpected or malformed HTTP headers or responses containing injected headers can also help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are to upgrade the affected packages to the fixed versions: HTTP.jl to version 1.10.17 or later, and URIs.jl to version 1.6.0 or later. These versions include validation that rejects URIs containing CR or LF characters, preventing CRLF injection. As a temporary workaround before upgrading, manually validate and sanitize any URIs to ensure they do not contain CR or LF characters before passing them to these packages. [1, 2]