CVE-2021-41084

MEDIUM
Published Sep 21, 20214y ago · Modified Jun 17, 20262w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Sep 21, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

CVSS Details

Base Score
4.7
Exploitability
2.8
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-74
CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 29

VendorProductVersionRange
typelevelhttp4s* <0.21.29
typelevelhttp4s*≥0.22.0  –  <0.22.5
typelevelhttp4s*≥0.23.0  –  <0.23.4
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any
typelevelhttp4s1.0.0any

References 4

  • github.com https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8
    PatchThird Party Advisory
  • github.com https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3
    ExploitThird Party Advisory
  • httpwg.org https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values
    Vendor Advisory
  • owasp.org https://owasp.org/www-community/attacks/HTTP_Response_Splitting
    Third Party Advisory

Remediation

  • github.com https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8
    PatchThird Party Advisory