CVE-2025-59822
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-10-08

Assigner: GitHub, Inc.

Description
Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-10-08
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59822
Affected Vendors & Products
Showing 45 associated CPEs
Vendor Product Version / Range
typelevel http4s to 0.23.31 (exc)
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
typelevel http4s 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTTP Request Smuggling issue in the http4s Scala HTTP service interface. It occurs due to improper handling of the HTTP trailer section in versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31. Attackers can exploit this by sending specially crafted HTTP requests that bypass front-end server security controls, potentially allowing them to launch targeted attacks against active users and poison web caches. Exploitation requires the web application to be behind a reverse-proxy that forwards trailer headers. The issue has been fixed in versions 1.0.0-M45 and 0.23.31.

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass security controls on front-end servers, which may lead to unauthorized access or manipulation of web traffic. Attackers could launch targeted attacks against active users, potentially compromising user data or sessions. Additionally, they could poison web caches, causing incorrect or malicious content to be served to users.

Mitigation Strategies

To mitigate this vulnerability, upgrade http4s to version 1.0.0-M45 or later, or 0.23.31 or later, where the issue has been patched. Additionally, ensure that your web application is not deployed behind a reverse-proxy that forwards trailer headers, as this is a pre-requisite for exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59822. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart