CVE-2025-52479 is a high-severity vulnerability affecting the JuliaWeb HTTP.jl package, specifically versions prior to 1.10.17, and the URIs.jl package prior to version 1.6.0. The vulnerability arises from improper neutralization of CRLF (Carriage Return Line Feed) sequences in Uniform Resource Identifiers (URIs) constructed or parsed by these libraries. HTTP.jl provides HTTP client and server functionality for the Julia programming language, while URIs.jl is responsible for parsing and handling URIs. The flaw allows malicious actors to inject CRLF characters into URIs if user input is not properly escaped or validated before being processed. This can lead to CRLF injection attacks, which are a form of HTTP response splitting. Such attacks can manipulate HTTP headers, enabling attackers to craft malicious responses that can lead to web cache poisoning, cross-site scripting (XSS), session fixation, or other injection-based attacks. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact on confidentiality is none, but integrity is high due to the ability to manipulate HTTP responses, and availability is not affected. The vulnerability has not yet been observed exploited in the wild. The fix involves upgrading HTTP.jl to version 1.10.17 or later and URIs.jl to version 1.6.0 or later, which incorporate stricter URI validation and neutralization of CRLF sequences. As a temporary workaround, users should manually validate and sanitize any URIs before passing them to these libraries to prevent injection of CRLF characters. This vulnerability is tracked under CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-113 (HTTP Response Splitting).

For European organizations using JuliaWeb's HTTP.jl and URIs.jl libraries, particularly in web-facing applications or services, this vulnerability poses a significant risk. Exploitation could allow attackers to manipulate HTTP responses, potentially leading to web cache poisoning and cross-site scripting attacks that compromise user sessions and data integrity. This is especially critical for organizations in sectors such as finance, healthcare, and government, where data integrity and secure web communications are paramount. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of automated attacks and widespread exploitation if unpatched. Additionally, organizations relying on Julia for scientific computing or data analysis that expose HTTP endpoints could inadvertently expose themselves to these risks. The absence of known exploits in the wild suggests a window of opportunity for proactive mitigation. Failure to address this vulnerability could lead to reputational damage, regulatory penalties under GDPR if personal data is compromised, and operational disruptions due to compromised web services.

Immediately upgrade HTTP.jl to version 1.10.17 or later and URIs.jl to version 1.6.0 or later to incorporate the official fixes for CRLF injection. Implement strict input validation and sanitization for all user-supplied URIs before they are processed by HTTP.jl or URIs.jl, ensuring that CR and LF characters are either removed or properly encoded. Review and audit all Julia-based web applications and services to identify usage of HTTP.jl and URIs.jl, prioritizing those exposed to external networks. Employ web application firewalls (WAFs) with rules targeting HTTP response splitting and CRLF injection patterns to provide an additional layer of defense. Monitor HTTP responses for anomalies such as unexpected header injections or duplicated headers that may indicate attempted exploitation. Educate developers on secure URI handling practices within Julia applications to prevent introduction of similar vulnerabilities in the future. In environments where immediate upgrade is not feasible, implement manual URI validation routines as a temporary mitigation to reject or sanitize suspicious input.