CVE-2025-52479

HIGH

HTTP.jl <1.10.17 & URIs.jl <1.6.0 - CRLF Injection

Title source: llm

Description

HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack. Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17, and users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix. As a workaround, manually validate any URIs before passing them on to functions in this package.

References (2)

[Vendor Advisory] https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-4g68-4pxg-mw93

[Issue Tracking] https://github.com/JuliaWeb/URIs.jl/pull/66

Scores

CVSS v4 7.7

EPSS 0.0035

EPSS Percentile 57.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-113 CWE-93

Status published

Products (1)

JuliaWeb/HTTP.jl < 1.10.17

Published Jun 25, 2025

Tracked Since Feb 18, 2026