Http4S
CVE-2021-21294
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 6 maven packages depend on org.http4s:http4s-blaze-server_2.12 (2 direct, 4 indirect)
- 9 maven packages depend on org.http4s:http4s-blaze-server_2.13 (2 direct, 7 indirect)
Ecosystem-wide dependent count for version 0.21.17 and other introduced versions.
DescriptionNVD
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general "MaxActiveRequests" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new "maxConnections" property, with a default value of 1024, has been added to the BlazeServerBuilder. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect maxConnections. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w.
AnalysisAI
Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface for HTTP services. Http4s before versions 0.21.17, 0.22.0-M2, and 1.0.0-M14 have a vulnerability which can lead to a denial-of-service. Blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. http4s provides a general "MaxActiveRequests" middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. In 0.21.17, 0.22.0-M2, and 1.0.0-M14, a new "maxConnections" property, with a default value of 1024, has been added to the BlazeServerBuilder. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. The NIO2 backend does not respect maxConnections. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xhv5-w9c5-2r2w. Affected products include: Typelevel Http4S.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploita
Http4s is a minimal, idiomatic Scala interface for HTTP services. Rated critical severity (CVSS 9.1), this vulnerability
http4s is an open source scala interface for HTTP. Rated medium severity (CVSS 4.7), this vulnerability is remotely expl
http4s before versions 0.18.26, 0.20.20, and 0.21.2 has a local file inclusion vulnerability. Rated high severity (CVSS
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploita
Http4s is a Scala interface for HTTP services. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploita
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today