http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
Threat-Mapped Scoring
Score: 1.8
Priority: P4 - Informational (Low)
S9 – Sabotage of System/App
EPSS
Score: 0.00738Percentile:
0.71886
CVSS Scoring
CVSS v3.1 Score: 8.7
Severity: HIGH
Mapped CWE(s)
CWE-74
: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-918
: Server-Side Request Forgery (SSRF)
All CAPEC(s)
CAPEC-10 : Buffer Overflow via Environment Variables
CAPEC-101 : Server Side Include (SSI) Injection
CAPEC-105 : HTTP Request Splitting
CAPEC-108 : Command Line Execution through SQL Injection
CAPEC-120 : Double Encoding
CAPEC-13 : Subverting Environment Variable Values
CAPEC-135 : Format String Injection
CAPEC-14 : Client-side Injection-induced Buffer Overflow
CAPEC-24 : Filter Failure through Buffer Overflow
CAPEC-250 : XML Injection
CAPEC-267 : Leverage Alternate Encoding
CAPEC-273 : HTTP Response Smuggling
CAPEC-28 : Fuzzing
CAPEC-3 : Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-34 : HTTP Response Splitting
CAPEC-42 : MIME Conversion
CAPEC-43 : Exploiting Multiple Input Interpretation Layers
CAPEC-45 : Buffer Overflow via Symbolic Links
CAPEC-46 : Overflow Variables and Tags
CAPEC-47 : Buffer Overflow via Parameter Expansion
CAPEC-51 : Poison Web Service Registry
CAPEC-52 : Embedding NULL Bytes
CAPEC-53 : Postfix, Null Terminate, and Backslash
CAPEC-6 : Argument Injection
CAPEC-64 : Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-664 : Server Side Request Forgery
CAPEC-67 : String Format Overflow in syslog()
CAPEC-7 : Blind SQL Injection
CAPEC-71 : Using Unicode Encoding to Bypass Validation Logic
CAPEC-72 : URL Encoding
CAPEC-76 : Manipulating Web Input to File System Calls
CAPEC-78 : Using Escaped Slashes in Alternate Encoding
CAPEC-79 : Using Slashes in Alternate Encoding
CAPEC-8 : Buffer Overflow in an API Call
CAPEC-80 : Using UTF-8 Encoding to Bypass Validation Logic
CAPEC-83 : XPath Injection
CAPEC-84 : XQuery Injection
CAPEC-9 : Buffer Overflow in Local Command-Line Utilities
CAPEC(s) with Mapped TTPs
CAPEC-13 : Subverting Environment Variable Values
Mapped TTPs:
T1562.003
: Impair Command History Logging
T1574.006
: Dynamic Linker Hijacking
T1574.007
: Path Interception by PATH Environment Variable
CAPEC-267 : Leverage Alternate Encoding
Mapped TTPs:
T1027
: Obfuscated Files or Information
Mapped ATT&CK TTPs
T1562.003
: Impair Command History Logging
Kill Chain: defense-evasion
T1574.006
: Dynamic Linker Hijacking
Kill Chain: persistence
T1574.007
: Path Interception by PATH Environment Variable
Kill Chain: persistence
T1027
: Obfuscated Files or Information
Kill Chain: defense-evasion
Malware
APTs Threat Group Associations
Campaigns
ArcaneDoor 2016 Ukraine Electric Power Attack C0015 C0017
Affected Products
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*
← Back to Home
BrownCoat Threat Intelligence Platform | 2025 Steve Gray — You Can’t Take the Sky from Me