Skip to main content

EUVDEUVD-2025-19236

| CVE-2025-52479 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2025-06-25 security-advisories@github.com
7.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:36 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.10.17
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19236
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
CVE Published
Jun 25, 2025 - 16:15 nvd
HIGH 7.7

DescriptionGitHub Advisory

HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack. Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17, and users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix. As a workaround, manually validate any URIs before passing them on to functions in this package.

AnalysisAI

CVE-2025-52479 is a CRLF injection vulnerability in URIs.jl (<1.6.0) and HTTP.jl (<1.10.17) that allows attackers to construct malicious URIs containing carriage return and line feed characters. If user input is not properly escaped, this can enable CRLF injection attacks to manipulate HTTP headers or protocol boundaries. The vulnerability has a CVSS score of 7.7 (high integrity impact) and affects Julia ecosystem users; patch versions are available and should be deployed immediately.

Technical ContextAI

URIs.jl is a Julia package responsible for parsing and validating Uniform Resource Identifiers according to RFC standards. HTTP.jl is a Julia package providing HTTP client and server implementations that depends on URIs.jl for URI handling. The root cause (CWE-93: Improper Neutralization of CRLF Sequences in HTTP Headers) stems from insufficient validation of URI components before use in HTTP contexts. CR (\r, 0x0D) and LF (\n, 0x0A) characters are special in HTTP and can be used to inject additional headers or split requests when not properly sanitized. The vulnerability exists in the URI parsing layer (URIs.jl), with the fix backported to HTTP.jl v1.10.17 to ensure defense-in-depth. Affected CPE scope includes Julia package ecosystem: pkg:julia/URIs.jl and pkg:julia/HTTP.jl.

RemediationAI

Upgrade URIs.jl to version 1.6.0 or later; command: julia> using Pkg; Pkg.update("URIs"); priority: Immediate Upgrade HTTP.jl to version 1.10.17 or later; command: julia> using Pkg; Pkg.update("HTTP"); priority: Immediate Workaround: Implement manual URI validation before passing to HTTP.jl/URIs.jl functions; details: Validate that user-supplied URIs do not contain CR (\r, 0x0D) or LF (\n, 0x0A) characters. Use regex pattern: reject if /[\r\n]/ matches.; code_example: if occursin(r"[\r\n]", user_uri); error("Invalid URI"); end; priority: Temporary mitigation for unpatched systems Defense-in-Depth: Implement HTTP response header validation; details: Even with patched libraries, validate headers in HTTP responses to detect unexpected header injection; priority: Recommended supplementary control

Share

EUVD-2025-19236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy