CVE-2025-61689

HTTP.jl <1.10.19 - CRLF-based Header Injection

Title source: llm

Description

HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more. This issue is fixed in HTTP.jl `v1.10.19`.

References (2)

[Vendor Advisory] https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-h3x8-ppwj-6vcj

[Release Notes] https://github.com/JuliaWeb/HTTP.jl/releases/tag/v1.10.19

Scores

EPSS 0.0005

EPSS Percentile 13.9%

Classification

CWE

CWE-113

Status draft

Timeline

Published Oct 10, 2025

Tracked Since Feb 18, 2026