High severityOSV Advisory· Published Oct 10, 2025· Updated Apr 15, 2026

CVE-2025-61689

Description

HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more. This issue is fixed in HTTP.jl v1.10.19.

Affected products

Juliaweb/Http.jlOSV
Range: v0.4.0, v0.4.1, v0.4.2, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/JuliaWeb/HTTP.jl/releases/tag/v1.10.19nvd
github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-h3x8-ppwj-6vcjnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000