CVE-2025-52479

| EUVD-2025-19236 HIGH
2025-06-25 [email protected]
7.7
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19236
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
CVE Published
Jun 25, 2025 - 16:15 nvd
HIGH 7.7

Tags

Code Injection

Description

HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack. Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17, and users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix. As a workaround, manually validate any URIs before passing them on to functions in this package.

Analysis

CVE-2025-52479 is a CRLF injection vulnerability in URIs.jl (<1.6.0) and HTTP.jl (<1.10.17) that allows attackers to construct malicious URIs containing carriage return and line feed characters. If user input is not properly escaped, this can enable CRLF injection attacks to manipulate HTTP headers or protocol boundaries. The vulnerability has a CVSS score of 7.7 (high integrity impact) and affects Julia ecosystem users; patch versions are available and should be deployed immediately.

Technical Context

URIs.jl is a Julia package responsible for parsing and validating Uniform Resource Identifiers according to RFC standards. HTTP.jl is a Julia package providing HTTP client and server implementations that depends on URIs.jl for URI handling. The root cause (CWE-93: Improper Neutralization of CRLF Sequences in HTTP Headers) stems from insufficient validation of URI components before use in HTTP contexts. CR (\r, 0x0D) and LF (\n, 0x0A) characters are special in HTTP and can be used to inject additional headers or split requests when not properly sanitized. The vulnerability exists in the URI parsing layer (URIs.jl), with the fix backported to HTTP.jl v1.10.17 to ensure defense-in-depth. Affected CPE scope includes Julia package ecosystem: pkg:julia/URIs.jl and pkg:julia/HTTP.jl.

Affected Products

URIs.jl (< 1.6.0); HTTP.jl (< 1.10.17)

Remediation

Upgrade URIs.jl to version 1.6.0 or later; command: julia> using Pkg; Pkg.update("URIs"); priority: Immediate Upgrade HTTP.jl to version 1.10.17 or later; command: julia> using Pkg; Pkg.update("HTTP"); priority: Immediate Workaround: Implement manual URI validation before passing to HTTP.jl/URIs.jl functions; details: Validate that user-supplied URIs do not contain CR (\r, 0x0D) or LF (\n, 0x0A) characters. Use regex pattern: reject if /[\r\n]/ matches.; code_example: if occursin(r"[\r\n]", user_uri); error("Invalid URI"); end; priority: Temporary mitigation for unpatched systems Defense-in-Depth: Implement HTTP response header validation; details: Even with patched libraries, validate headers in HTTP responses to detect unexpected header injection; priority: Recommended supplementary control

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-52479 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy