CVE-2025-61689
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-10-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| julia | http.jl | 1.10.17 |
| julia | http.jl | 1.10.19 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in HTTP.jl occurs because the software does not properly validate HTTP header names and values for illegal characters like carriage return (CR) and line feed (LF). This allows attackers to inject CRLF sequences into headers, leading to HTTP header injection and response splitting attacks. Essentially, attackers can manipulate HTTP responses by inserting additional headers or splitting responses, which can be exploited in various ways. [2]
How can this vulnerability impact me? :
The vulnerability can lead to HTTP response splitting, which enables attacks such as cache poisoning, cross-site scripting (XSS), session fixation, and other malicious activities. These impacts can compromise the security and integrity of web applications using HTTP.jl versions prior to 1.10.19. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for HTTP header injection or response splitting via injection of CR (\r) and LF (\n) characters in HTTP header names or values. You can attempt to send crafted HTTP requests with headers containing CRLF sequences to see if the server improperly processes them, leading to additional headers or response splitting. For example, using curl or netcat to send headers with encoded CRLF sequences and observing the response headers for injection effects. Specific commands are not provided in the resources, but a typical approach is to send requests with headers like 'X-Test: value\r\nInjected-Header: injected' and check if the injected header appears in the response. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade HTTP.jl to version 1.10.19 or later, where the vulnerability is fixed by proper validation of HTTP header names and values to prevent CRLF injection. If upgrading is not immediately possible, consider implementing input validation or filtering to block CR and LF characters in HTTP headers at the application or proxy level to reduce risk. [2, 1]