7.5

CVE-2025-59822

Exploit
Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TypelevelHttp4s Version < 0.23.31
TypelevelHttp4s Version1.0.0 Updatemilestone1
TypelevelHttp4s Version1.0.0 Updatemilestone10
TypelevelHttp4s Version1.0.0 Updatemilestone11
TypelevelHttp4s Version1.0.0 Updatemilestone12
TypelevelHttp4s Version1.0.0 Updatemilestone13
TypelevelHttp4s Version1.0.0 Updatemilestone14
TypelevelHttp4s Version1.0.0 Updatemilestone15
TypelevelHttp4s Version1.0.0 Updatemilestone16
TypelevelHttp4s Version1.0.0 Updatemilestone17
TypelevelHttp4s Version1.0.0 Updatemilestone18
TypelevelHttp4s Version1.0.0 Updatemilestone19
TypelevelHttp4s Version1.0.0 Updatemilestone2
TypelevelHttp4s Version1.0.0 Updatemilestone20
TypelevelHttp4s Version1.0.0 Updatemilestone21
TypelevelHttp4s Version1.0.0 Updatemilestone22
TypelevelHttp4s Version1.0.0 Updatemilestone23
TypelevelHttp4s Version1.0.0 Updatemilestone24
TypelevelHttp4s Version1.0.0 Updatemilestone25
TypelevelHttp4s Version1.0.0 Updatemilestone26
TypelevelHttp4s Version1.0.0 Updatemilestone27
TypelevelHttp4s Version1.0.0 Updatemilestone28
TypelevelHttp4s Version1.0.0 Updatemilestone29
TypelevelHttp4s Version1.0.0 Updatemilestone3
TypelevelHttp4s Version1.0.0 Updatemilestone30
TypelevelHttp4s Version1.0.0 Updatemilestone31
TypelevelHttp4s Version1.0.0 Updatemilestone32
TypelevelHttp4s Version1.0.0 Updatemilestone33
TypelevelHttp4s Version1.0.0 Updatemilestone34
TypelevelHttp4s Version1.0.0 Updatemilestone35
TypelevelHttp4s Version1.0.0 Updatemilestone36
TypelevelHttp4s Version1.0.0 Updatemilestone37
TypelevelHttp4s Version1.0.0 Updatemilestone38
TypelevelHttp4s Version1.0.0 Updatemilestone39
TypelevelHttp4s Version1.0.0 Updatemilestone4
TypelevelHttp4s Version1.0.0 Updatemilestone40
TypelevelHttp4s Version1.0.0 Updatemilestone41
TypelevelHttp4s Version1.0.0 Updatemilestone42
TypelevelHttp4s Version1.0.0 Updatemilestone43
TypelevelHttp4s Version1.0.0 Updatemilestone44
TypelevelHttp4s Version1.0.0 Updatemilestone5
TypelevelHttp4s Version1.0.0 Updatemilestone6
TypelevelHttp4s Version1.0.0 Updatemilestone7
TypelevelHttp4s Version1.0.0 Updatemilestone8
TypelevelHttp4s Version1.0.0 Updatemilestone9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.06% 0.181
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com 6.3 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.