CVE-2023-22465
HIGH7.5EPSS 0.34%Http4s improperly parses User-Agent and Server headers
Description
### Impact The `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. #### v0.21.x ```scala val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`) ``` #### v0.22.x, v0.23.x, v1.x ```scala val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`] val alsoUnsafe: Option[`Server`] = req.headers.get[Server] ``` ### Patches Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. ### Workarounds #### Use the weakly typed header interface ##### v0.21.x ```scala val safe: Option[Header] = req.headers.get("User-Agent".ci) // but don't do this val unsafe = header.map(_.parsed) ``` ##### v0.22.x, v0.23.x, v1.x ```scala val safe: Option[Header] = req.headers.get(ci"User-Agent") ```
Affected packages (5)
- Maven/org.http4s:http4s-core>= 1.0.0-M1, <= 1.0.0-M30
- Maven/org.http4s:http4s-core_2.10>= 0.1.0, <= 0.9.3
- Maven/org.http4s:http4s-core_2.11>= 0.1.0, <= 0.21.0-M1
- Maven/org.http4s:http4s-core_2.12>= 0.1.0, < 0.21.34
- Maven/org.http4s:http4s-core_2.13>= 0.1.0, < 0.21.34
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |