Skip to main content

CVE-2025-52479: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in JuliaWeb HTTP.jl

High
VulnerabilityCVE-2025-52479cvecve-2025-52479cwe-93cwe-113
Published: Wed Jun 25 2025 (06/25/2025, 16:06:45 UTC)
Source: CVE Database V5
Vendor/Project: JuliaWeb
Product: HTTP.jl

Description

HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack. Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17, and users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix. As a workaround, manually validate any URIs before passing them on to functions in this package.

AI-Powered Analysis

AILast updated: 06/25/2025, 16:37:15 UTC

Technical Analysis

CVE-2025-52479 is a high-severity vulnerability affecting the JuliaWeb HTTP.jl package, specifically versions prior to 1.10.17, and the URIs.jl package prior to version 1.6.0. The vulnerability arises from improper neutralization of CRLF (Carriage Return Line Feed) sequences in Uniform Resource Identifiers (URIs) constructed or parsed by these libraries. HTTP.jl provides HTTP client and server functionality for the Julia programming language, while URIs.jl is responsible for parsing and handling URIs. The flaw allows malicious actors to inject CRLF characters into URIs if user input is not properly escaped or validated before being processed. This can lead to CRLF injection attacks, which are a form of HTTP response splitting. Such attacks can manipulate HTTP headers, enabling attackers to craft malicious responses that can lead to web cache poisoning, cross-site scripting (XSS), session fixation, or other injection-based attacks. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact on confidentiality is none, but integrity is high due to the ability to manipulate HTTP responses, and availability is not affected. The vulnerability has not yet been observed exploited in the wild. The fix involves upgrading HTTP.jl to version 1.10.17 or later and URIs.jl to version 1.6.0 or later, which incorporate stricter URI validation and neutralization of CRLF sequences. As a temporary workaround, users should manually validate and sanitize any URIs before passing them to these libraries to prevent injection of CRLF characters. This vulnerability is tracked under CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-113 (HTTP Response Splitting).

Potential Impact

For European organizations using JuliaWeb's HTTP.jl and URIs.jl libraries, particularly in web-facing applications or services, this vulnerability poses a significant risk. Exploitation could allow attackers to manipulate HTTP responses, potentially leading to web cache poisoning and cross-site scripting attacks that compromise user sessions and data integrity. This is especially critical for organizations in sectors such as finance, healthcare, and government, where data integrity and secure web communications are paramount. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of automated attacks and widespread exploitation if unpatched. Additionally, organizations relying on Julia for scientific computing or data analysis that expose HTTP endpoints could inadvertently expose themselves to these risks. The absence of known exploits in the wild suggests a window of opportunity for proactive mitigation. Failure to address this vulnerability could lead to reputational damage, regulatory penalties under GDPR if personal data is compromised, and operational disruptions due to compromised web services.

Mitigation Recommendations

Immediately upgrade HTTP.jl to version 1.10.17 or later and URIs.jl to version 1.6.0 or later to incorporate the official fixes for CRLF injection. Implement strict input validation and sanitization for all user-supplied URIs before they are processed by HTTP.jl or URIs.jl, ensuring that CR and LF characters are either removed or properly encoded. Review and audit all Julia-based web applications and services to identify usage of HTTP.jl and URIs.jl, prioritizing those exposed to external networks. Employ web application firewalls (WAFs) with rules targeting HTTP response splitting and CRLF injection patterns to provide an additional layer of defense. Monitor HTTP responses for anomalies such as unexpected header injections or duplicated headers that may indicate attempted exploitation. Educate developers on secure URI handling practices within Julia applications to prevent introduction of similar vulnerabilities in the future. In environments where immediate upgrade is not feasible, implement manual URI validation routines as a temporary mitigation to reject or sanitize suspicious input.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-06-17T02:28:39.717Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 685c2224c6576a567aed81d9

Added to database: 6/25/2025, 4:21:56 PM

Last enriched: 6/25/2025, 4:37:15 PM

Last updated: 8/7/2025, 11:21:45 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats