VYPR
← All advisories
High severityNVD Advisory· Published Jan 4, 2023· Updated Mar 10, 2025

Http4s has fatal error parsing User-Agent and Server headers

CVE-2023-22465

Description

Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.http4s:http4s-core_2.13Maven
>= 0.1.0, < 0.21.340.21.34
org.http4s:http4s-core_2.13Maven
>= 0.22.0, < 0.22.150.22.15
org.http4s:http4s-core_2.13Maven
>= 0.23.0, < 0.23.170.23.17
org.http4s:http4s-core_2.13Maven
>= 1.0.0-M1, < 1.0.0-M381.0.0-M38
org.http4s:http4s-core_2.10Maven
>= 0.1.0, <= 0.9.3
org.http4s:http4s-core_2.11Maven
>= 0.1.0, <= 0.21.0-M1
org.http4s:http4s-core_2.12Maven
>= 0.1.0, < 0.21.340.21.34
org.http4s:http4s-core_2.12Maven
>= 0.22.0, < 0.22.150.22.15
org.http4s:http4s-core_2.12Maven
>= 0.23.0, < 0.23.170.23.17
org.http4s:http4s-coreMaven
>= 1.0.0-M1, <= 1.0.0-M30

Affected products

6

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.