Package Instance

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
http4s is an open source scala interface for HTTP. Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`).

Origin Validation Error
The original `CORS` implementation and `CORSConfig` are deprecated.

Http4s improperly parses User-Agent and Server headers
### Impact

The `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs.  In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. 

#### v0.21.x

```scala
val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`)
```

#### v0.22.x, v0.23.x, v1.x

```scala
val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`]
val alsoUnsafe: Option[`Server`] = req.headers.get[Server]
```

### Patches

Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38.

### Workarounds

#### Use the weakly typed header interface

##### v0.21.x

```scala
val safe: Option[Header] = req.headers.get("User-Agent".ci)
// but don't do this
val unsafe = header.map(_.parsed) 
```

##### v0.22.x, v0.23.x, v1.x

```scala
val safe: Option[Header] = req.headers.get(ci"User-Agent")
```

Uncontrolled Resource Consumption
Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue.