{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "0.21.29" }, { "introduced": "0.22.0" }, { "fixed": "0.22.5" }, { "introduced": "0.23.0" }, { "fixed": "0.23.4" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone1" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone10" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone11" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone12" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone13" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone14" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone15" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone16" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone17" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone18" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone19" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone2" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone20" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone21" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone22" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone23" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone24" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone25" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone26" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone3" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone4" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone5" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone6" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone7" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone8" }, { "introduced": "0" }, { "last_affected": "1.0.0-milestone9" } ] }, "events": [ { "introduced": "0" }, { "fixed": "214e217a2c87579deb7682e4d42f190b1060d950" }, { "introduced": "3e98ea4a63e741c7f9d5e917d48d2ee8fab54476" }, { "fixed": "4695eb16773b4ee9ed37b2f0d51d4ded16772779" }, { "introduced": "06db471f053023ce3ffd7c568ce46d33551d1d69" }, { "fixed": "1bdc15f793865c92008b6a4d76d1ce818be27ac9" }, { "introduced": "0" }, { "last_affected": "756ce63aee681c5b632bbeafe0b8fde2f3d237f4" }, { "introduced": "0" }, { "last_affected": "d68768bb0936ff8fd1b95bb2d2f006d4d92b627b" }, { "introduced": "0" }, { "last_affected": "a6edc034138f758697a93aa4985e3621e12a2314" }, { "introduced": "0" }, { "last_affected": "a8189fc3c885dead089f857728b8d2b20361af6d" }, { "introduced": "0" }, { "last_affected": "96c1fbefc08b58922bab72f4c0503cf393cdb13d" }, { "introduced": "0" }, { "last_affected": "bef11333d4e7f85b0387c979f1b30fe91331f313" }, { "introduced": "0" }, { "last_affected": "5e7be4846286f43a19c801ff9e77a376a35a5378" }, { "introduced": "0" }, { "last_affected": "8f52735b5362395c86acb3d33c51b9dc3551aa4f" }, { "introduced": "0" }, { "last_affected": "b4beb2ac80a19ec31a843d7c80c1eff89b682a46" }, { "introduced": "0" }, { "last_affected": "da5224d0754579c7d8a845f13dbbcb4754aa396d" }, { "introduced": "0" }, { "last_affected": "cfc696d96e8f1419449bc5cf53f8d394f76cf1b2" }, { "introduced": "0" }, { "last_affected": "d980b0b88a42026f942c048c6097f92f78ad52f2" }, { "introduced": "0" }, { "last_affected": "94e23b89b520efb022842fbd404484c674222d2a" }, { "introduced": "0" }, { "last_affected": "c0165bc83e7f802b7fe9e50aba8bd1fd589d3e2e" }, { "introduced": "0" }, { "last_affected": "493d5091a891958e24c954c365ac91498106b229" }, { "introduced": "0" }, { "last_affected": "6227ad21e0ddc372e433d279a7cdde387b0b0e3e" }, { "introduced": "0" }, { "last_affected": "96f5a9f1c77bf3180d1144d4c040ef3b84af6a99" }, { "introduced": "0" }, { "last_affected": "09ff0363c01a24486c4ff5592e4c92f4d7241b88" }, { "introduced": "0" }, { "last_affected": "6634b4869c37945eccec3321702abaab54961a57" }, { "introduced": "0" }, { "last_affected": "cb6639a21181c460af8fd55a8c6326cb37da791f" }, { "introduced": "0" }, { "last_affected": "6b0d5130177eb7af03c3979b5cf99af70f452fc7" }, { "introduced": "0" }, { "last_affected": "45c90d58c98e4153e6ed6a355199a394f026d092" }, { "introduced": "0" }, { "last_affected": "20d0457c207a6e139b47b601fe4aca00c7ec05cf" }, { "introduced": "0" }, { "last_affected": "83e7ceb76f0a46ba27efd6c1a3b90bd1b2b8fca6" }, { "introduced": "0" }, { "last_affected": "490f74b689ce543a133c7e033b60cbb94cb9d539" }, { "introduced": "0" }, { "last_affected": "6676c1e24a4e32e0c6c1a36911f4e6606c10e12b" }, { "fixed": "d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8" } ], "repo": "https://github.com/http4s/http4s", "type": "GIT" } ] } ], "details": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.", "id": "CVE-2021-41084", "modified": "2026-03-15T13:49:01.059947274Z", "published": "2021-09-21T18:15:07.427Z", "references": [ { "type": "ADVISORY", "url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values" }, { "type": "ADVISORY", "url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting" }, { "type": "FIX", "url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8" }, { "type": "EVIDENCE", "url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3" } ], "related": [ "GHSA-5vcm-3xc3-w7x3" ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "type": "CVSS_V3" } ] }