CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
52.2%
http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields:
Header.name
åHeader.value
)Status.reason
)Uri.Path
)URI.RegName
) (through 0.21)The following backends render invalid carriage return, newline, or null characters in an unsafe fashion.
blaze-server | ember-server | blaze-client | ember-client | jetty-client | |
---|---|---|---|---|---|
header names | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ |
header values | ⚠ | ⚠ | ⚠ | ⚠ | |
status reasons | ⚠ | ⚠ | |||
URI paths | ⚠ | ⚠ | |||
URI regnames | ⚠ < 0.22 | ⚠ < 0.22 |
For example, given the following service:
import cats.effect._
import org.http4s._
import org.http4s.dsl.io._
import org.http4s.server.blaze.BlazeServerBuilder
import scala.concurrent.ExecutionContext.global
object ResponseSplit extends IOApp {
override def run(args: List[String]): IO[ExitCode] =
BlazeServerBuilder[IO](global)
.bindHttp(8080)
.withHttpApp(httpApp)
.resource
.use(_ => IO.never)
val httpApp: HttpApp[IO] =
HttpApp[IO] { req =>
req.params.get("author") match {
case Some(author) =>
Ok("The real content")
.map(_.putHeaders(Header("Set-Cookie", s"author=${author}")))
case None =>
BadRequest("No author parameter")
}
}
}
A clean author
parameter returns a clean response:
curl -i 'http://localhost:8080/?author=Ross'
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Set-Cookie: author=Ross
Date: Mon, 20 Sep 2021 04:12:10 GMT
Content-Length: 16
The real content
A malicious author
parameter allows a user-agent to hijack the response from our server and return different content:
curl -i 'http://localhost:8080/?author=hax0r%0d%0aContent-Length:+13%0d%0a%0aI+hacked+you'
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Set-Cookie: author=hax0r
Content-Length: 13
I hacked you
Versions 0.21.29, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following:
\u0000
), carriage return (\r
), and newline (\n
) with space (
) characters per spec.IllegalArgumentException
.IllegalArgumentException
.http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
Not all backends were affected: jetty-server, tomcat-server, armeria, and netty on the server; async-http-client, okhttp-client, armeria, and netty as clients.
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
org.http4s | http4s-client | * | cpe:2.3:a:org.http4s:http4s-client:*:*:*:*:*:*:*:* |
org.http4s | http4s-server | * | cpe:2.3:a:org.http4s:http4s-server:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-5vcm-3xc3-w7x3
github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8
github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3
httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values
nvd.nist.gov/vuln/detail/CVE-2021-41084
owasp.org/www-community/attacks/HTTP_Response_Splitting
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS
Percentile
52.2%