CVE-2023-22465

HIGH

http4s <1.0.0-M38 DoS via User-Agent and Server Header Parsing

Title source: llm

Description

Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.

References (1)

Core 1

Core References

Exploit, Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f

Scores

CVSS v3 7.5

EPSS 0.0084

EPSS Percentile 53.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (7)

org.http4s/http4s-core 1.0.0-M1Maven

org.http4s/http4s-core_2.10 0.1.0Maven

org.http4s/http4s-core_2.11 0.1.0Maven

org.http4s/http4s-core_2.12 0.1.0 - 0.21.34Maven

org.http4s/http4s-core_2.13 0.1.0 - 0.21.34Maven

typelevel/http4s 1.0.0 milestone1 (37 CPE variants)

typelevel/http4s 0.1.0 - 0.21.34

Published Jan 04, 2023

Tracked Since Feb 18, 2026