CVE-2020-5280

HIGH EPSS 93.2%
Published Mar 25, 20206y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Mar 25, 2020 6y ago
Last Modified Jun 17, 2026 2w ago

Description

http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. This vulnerability applies to all users of org.http4s.server.staticcontent.FileService, org.http4s.server.staticcontent.ResourceService and org.http4s.server.staticcontent.WebjarService. URI normalization is applied incorrectly. Requests whose path info contain ../ or // can expose resources outside of the configured location. This issue is patched in versions 0.18.26, 0.20.20, and 0.21.2. Note that 0.19.0 is a deprecated release and has never been supported.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
93.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt
CWE-23

Affected Products 3

VendorProductVersionRange
typelevelhttp4s* <0.18.26
typelevelhttp4s*≥0.19.0  –  <0.20.20
typelevelhttp4s*≥0.21.0  –  <0.21.2

References 4

  • github.com https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec
    Patch
  • github.com https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca
    Patch
  • github.com https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b
    Patch
  • github.com https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6
    Third Party Advisory

Remediation

  • github.com https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec
    Patch
  • github.com https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca
    Patch
  • github.com https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b
    Patch