CVE-2025-52479 Overview
CVE-2025-52479 is a CRLF (Carriage Return Line Feed) injection vulnerability affecting the Julia ecosystem's HTTP.jl and URIs.jl packages. The flaw allows attackers to construct URIs containing CR/LF characters that are not properly validated by the URI parsing logic. When user-supplied input is passed into URI construction functions without prior escaping, an attacker can inject control characters that split HTTP requests or responses. The vulnerability is classified under [CWE-93] Improper Neutralization of CRLF Sequences. URIs.jl versions prior to 1.6.0 and HTTP.jl versions prior to 1.10.17 are affected.
Critical Impact
Attackers can perform CRLF injection through unvalidated URIs, enabling HTTP request smuggling, header injection, and downstream attacks against integrity of HTTP communications.
Affected Products
- HTTP.jl prior to version 1.10.17
- URIs.jl prior to version 1.6.0
- Julia applications consuming user-controlled URI input via these packages
Discovery Timeline
- 2025-06-25 - CVE-2025-52479 published to the National Vulnerability Database (NVD)
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2025-52479
Vulnerability Analysis
The vulnerability resides in the URI construction logic of URIs.jl, which did not reject carriage return (\r) and line feed (\n) characters during URI parsing. HTTP.jl depended on URIs.jl for URI validation, inheriting the same weakness in its HTTP client and server functionality. When an application passes attacker-controlled strings into URI builders or HTTP request functions, embedded CRLF sequences can terminate the current header line and inject arbitrary headers or body content into the resulting HTTP message. This behavior enables HTTP response splitting, request smuggling, and session fixation, depending on how the constructed URI is later used by downstream HTTP machinery.
Root Cause
The root cause is missing input neutralization for CRLF sequences in the URI parser. URIs.jl accepted arbitrary control characters in user-controlled URI components, and HTTP.jl forwarded those values into raw HTTP request lines and headers. The validation responsibility has now been centralized inside the URI.jl package, and HTTP.jl 1.10.17 takes a dependency on the fixed URIs.jl 1.6.0 release.
Attack Vector
Exploitation requires the attacker to influence a URI string passed to HTTP.jl or URIs.jl. The attack vector is network-based and does not require authentication or user interaction. By embedding %0D%0A or raw CR/LF bytes in URI components, an attacker can append forged HTTP headers, smuggle a second request, or poison cached responses on intermediary proxies.
name = "HTTP"
uuid = "cd3eb016-35fb-5094-929b-558a96fad6f3"
authors = ["Jacob Quinn", "contributors: https://github.com/JuliaWeb/HTTP.jl/graphs/contributors"]
-version = "1.10.16"
+version = "1.10.17"
[deps]
Base64 = "2a0f44e3-6c83-55bd-87e4-b1978d98bd5f"
# Source: https://github.com/JuliaWeb/HTTP.jl/commit/e124953f388e7750f893fcf90efc72b7a59e35eb
# Patch raises HTTP.jl to 1.10.17 and pins URIs.jl >= 1.6 to obtain CRLF validation.
Detection Methods for CVE-2025-52479
Indicators of Compromise
- HTTP request or response logs containing literal \r\n, %0D%0A, or %0d%0a sequences within URL paths, query strings, or Location headers.
- Unexpected secondary HTTP headers appearing in outbound requests originating from Julia applications.
- Web server logs showing split responses or duplicated HTTP/1.1 status lines from a single upstream connection.
Detection Strategies
- Audit Julia projects for HTTP.jl versions below 1.10.17 and URIs.jl versions below 1.6.0 using Project.toml and Manifest.toml inventories.
- Inspect application code paths that pass untrusted strings to HTTP.request, HTTP.get, or URI() constructors without prior sanitization.
- Deploy web application firewall (WAF) rules that block requests containing encoded CR/LF in URI components.
Monitoring Recommendations
- Forward HTTP proxy and reverse proxy logs to a centralized analytics platform to identify CRLF injection patterns at scale.
- Alert on anomalous outbound HTTP traffic from Julia workloads, particularly requests with malformed headers or unexpected Host values.
- Monitor dependency manifests in CI/CD pipelines to flag reintroduction of vulnerable HTTP.jl or URIs.jl versions.
How to Mitigate CVE-2025-52479
Immediate Actions Required
- Upgrade HTTP.jl to version 1.10.17 or later in all Julia applications and services.
- Upgrade URIs.jl to version 1.6.0 or later, which contains the centralized CRLF validation fix.
- Rebuild and redeploy container images, serverless functions, and bundled artifacts that ship vulnerable versions.
Patch Information
The fix is delivered in HTTP.jl 1.10.17 and URIs.jl 1.6.0. The HTTP.jl release pins URIs.jl >= 1.6 so that URI validation occurs inside the URIs.jl package. Review the GitHub Security Advisory GHSA-4g68-4pxg-mw93, the HTTP.jl patch commit, and URIs.jl Pull Request #66 for the upstream changes.
Workarounds
- Manually validate and reject any URI input containing \r, \n, %0D, or %0A before passing it to HTTP.jl or URIs.jl functions.
- Strip or URL-encode control characters in all user-supplied URI components at the application boundary.
- Restrict accepted URI schemes and host values using allowlists to limit the attack surface until upgrades are completed.
# Update Julia package dependencies to patched versions
julia -e 'using Pkg; Pkg.update(["HTTP", "URIs"])'
# Verify installed versions meet the fixed baseline
julia -e 'using Pkg; Pkg.status(["HTTP", "URIs"])'
# Expected output:
# [cd3eb016] HTTP v1.10.17
# [5c2747f8] URIs v1.6.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
