Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-59822

Good to know:

icon

Date: September 23, 2025

Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.

Severity Score

Related Resources (5)

https://github.com/http4s/http4s/security/advisories/GHSA-wcwh-7gfw-5wrr
https://github.com/http4s/http4s/commit/dd518f7c967e5165813b8d4a48a82b8fab852d41
https://nvd.nist.gov/vuln/detail/CVE-2025-59822
https://github.com/http4s/http4s
https://www.mend.io/vulnerability-database/CVE-2025-59822

Severity Score

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-444

Top Fix

icon

Upgrade Version

Upgrade to version org.http4s:http4s-ember-core_2.12:0.23.31;org.http4s:http4s-ember-core_2.13:0.23.31;org.http4s:http4s-ember-core_2.13:1.0.0-M45;org.http4s:http4s-ember-core_3:0.23.31;org.http4s:http4s-ember-core_3:1.0.0-M45;https://github.com/http4s/http4s.git - v0.23.31;https://github.com/http4s/http4s.git - v1.0.0-M45

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us