CVE-2025-61689
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more. This issue is fixed in HTTP.jl `v1.10.19`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61689
EUVD
EUVD-2025-33756
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
julia http.jl 1.10.17
julia http.jl 1.10.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in HTTP.jl occurs because the software does not properly validate HTTP header names and values for illegal characters like carriage return (CR) and line feed (LF). This allows attackers to inject CRLF sequences into headers, leading to HTTP header injection and response splitting attacks. Essentially, attackers can manipulate HTTP responses by inserting additional headers or splitting responses, which can be exploited in various ways. [2]

Impact Analysis

The vulnerability can lead to HTTP response splitting, which enables attacks such as cache poisoning, cross-site scripting (XSS), session fixation, and other malicious activities. These impacts can compromise the security and integrity of web applications using HTTP.jl versions prior to 1.10.19. [2]

Detection Guidance

This vulnerability can be detected by testing for HTTP header injection or response splitting via injection of CR (\r) and LF (\n) characters in HTTP header names or values. You can attempt to send crafted HTTP requests with headers containing CRLF sequences to see if the server improperly processes them, leading to additional headers or response splitting. For example, using curl or netcat to send headers with encoded CRLF sequences and observing the response headers for injection effects. Specific commands are not provided in the resources, but a typical approach is to send requests with headers like 'X-Test: value\r\nInjected-Header: injected' and check if the injected header appears in the response. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade HTTP.jl to version 1.10.19 or later, where the vulnerability is fixed by proper validation of HTTP header names and values to prevent CRLF injection. If upgrading is not immediately possible, consider implementing input validation or filtering to block CR and LF characters in HTTP headers at the application or proxy level to reduce risk. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart