CVE-2021-39185
CRITICALhttp4s < 0.21.27, 0.22.0-0.22.2, 0.23.0-0.23.1, 1.0.0-M1-1.0.0-M24 - Origin Validation Error in CORS Configuration
Title source: llmDescription
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6
Third Party Advisory x_refsource_misc
https://github.com/http4s/http4s/releases/tag/v0.23.2
Scores
CVSS v3
9.1
EPSS
0.0057
EPSS Percentile
42.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-346
Status
published
Products (10)
org.http4s/http4s-server_2.10
0Maven
org.http4s/http4s-server_2.11
0Maven
org.http4s/http4s-server_2.12
0 - 0.21.27Maven
org.http4s/http4s-server_2.13
0 - 0.21.27Maven
org.http4s/http4s-server_2.13.0-M5
0Maven
org.http4s/http4s-server_3
0.22.0 - 0.22.3Maven
typelevel/http4s
0.23.0
typelevel/http4s
0.23.1
typelevel/http4s
1.0.0 milestone1 (24 CPE variants)
typelevel/http4s
< 0.21.26
Published
Sep 01, 2021
Tracked Since
Feb 18, 2026