Browse all 8 CVE security advisories affecting http4s. AI-powered Chinese analysis, POCs, and references for each vulnerability.
http4s is a functional Scala library for building HTTP servers and clients, primarily used in backend services and microservices architectures. Historically, its vulnerabilities have included remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and insecure default configurations. While no major security incidents have been widely documented, the 8 recorded CVEs highlight potential risks in areas like request handling and dependency management. The library's functional design provides some inherent security benefits through immutability, but developers must remain vigilant about third-party dependencies and proper input sanitization to mitigate common web application threats.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-59822 | Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section — http4sCWE-444 | 6.5AI | MediumAI | 2025-09-23 |
| CVE-2023-22465 | Http4s has fatal error parsing User-Agent and Server headers — http4sCWE-20 | 7.5 | High | 2023-01-04 |
| CVE-2021-41084 | Response Splitting from unsanitized headers in http4s — http4sCWE-918 | 8.7 | High | 2021-09-21 |
| CVE-2021-39185 | Default CORS config allows any origin with credentials — http4sCWE-346 | 9.1 | Critical | 2021-09-01 |
| CVE-2021-32643 | StaticFile.fromUrl can leak presence of a directory — http4sCWE-22 | 5.8 | Medium | 2021-05-27 |
| CVE-2021-21294 | Unbounded connection acceptance in http4s-blaze-server — http4sCWE-400 | 7.5 | High | 2021-02-02 |
| CVE-2021-21293 | Unbounded connection acceptance leads to file handle exhaustion — blazeCWE-400 | 7.5 | High | 2021-02-02 |
| CVE-2020-5280 | Local file inclusion vulnerability in http4s — http4sCWE-23 | 7.6 | High | 2020-03-25 |
This page lists every published CVE security advisory associated with http4s. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.