CVE-2025-52479 Overview
CVE-2025-52479 is a CRLF (Carriage Return Line Feed) injection vulnerability affecting the Julia ecosystem packages HTTP.jl and URIs.jl. HTTP.jl provides HTTP client and server functionality for Julia, while URIs.jl parses and works with Uniform Resource Identifiers. Versions of URIs.jl prior to 1.6.0 and HTTP.jl prior to 1.10.17 allow construction of URIs containing CR/LF characters. When unsanitized user input flows into URI construction, attackers can inject control characters to manipulate HTTP request structure. The flaw is tracked under CWE-93: Improper Neutralization of CRLF Sequences.
Critical Impact
Attackers can inject CR/LF sequences into URIs to perform HTTP header injection, request smuggling, or response splitting attacks against applications using vulnerable Julia HTTP libraries.
Affected Products
- HTTP.jl versions prior to 1.10.17
- URIs.jl versions prior to 1.6.0
- Julia applications consuming user-supplied URIs through these packages
Discovery Timeline
- 2025-06-25 - CVE-2025-52479 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2025-52479
Vulnerability Analysis
The vulnerability stems from missing validation of carriage return (\r) and line feed (\n) characters during URI construction. URIs.jl prior to version 1.6.0 accepted these control characters without rejection or escaping. HTTP.jl consumed these malformed URIs and passed them into HTTP request construction. When a request line or header is built from a URI containing CRLF, the attacker effectively injects new HTTP protocol elements. This enables a downstream attacker to forge headers, append additional requests, or split responses depending on application context.
Root Cause
The root cause is the absence of input neutralization for CRLF sequences in the URI parsing path. Validation logic that should have rejected disallowed control characters was missing from URIs.jl. HTTP.jl trusted URI inputs without performing independent verification. The maintainers consolidated URI validation into URIs.jl and updated HTTP.jl to require URIs.jl >= 1.6.
Attack Vector
Exploitation occurs over the network without authentication or user interaction. An attacker supplies crafted input containing %0d%0a or raw CR/LF bytes that flows into a URI passed to HTTP.jl client functions. The injected characters break the HTTP request line, enabling header injection or smuggling against the upstream server.
name = "HTTP"
uuid = "cd3eb016-35fb-5094-929b-558a96fad6f3"
authors = ["Jacob Quinn", "contributors: https://github.com/JuliaWeb/HTTP.jl/graphs/contributors"]
-version = "1.10.16"
+version = "1.10.17"
[deps]
Base64 = "2a0f44e3-6c83-55bd-87e4-b1978d98bd5f"
Source: HTTP.jl commit e124953 - The patch bumps HTTP.jl from 1.10.16 to 1.10.17 and updates the dependency constraint to require URIs.jl >= 1.6, which contains the CRLF validation logic.
Detection Methods for CVE-2025-52479
Indicators of Compromise
- Outbound HTTP requests containing raw \r\n sequences or %0d%0a in URI path or query components
- Application logs showing URIs with embedded control characters originating from user input
- Unexpected HTTP headers appearing in upstream server logs that align with user-controlled URI fields
Detection Strategies
- Inspect Julia project manifests (Project.toml, Manifest.toml) for HTTP.jl below 1.10.17 or URIs.jl below 1.6.0
- Apply web application firewall rules to flag HTTP request lines containing encoded CRLF in URI components
- Review code paths where user input is concatenated into URI strings without prior validation
Monitoring Recommendations
- Log full request lines from outbound HTTP clients and alert on CR/LF bytes in URI fields
- Monitor for HTTP response splitting indicators such as duplicate Content-Length or unexpected Set-Cookie headers from upstream services
- Track dependency drift in Julia environments using software composition analysis tooling
How to Mitigate CVE-2025-52479
Immediate Actions Required
- Upgrade HTTP.jl to version 1.10.17 or later in all Julia projects
- Upgrade URIs.jl to version 1.6.0 or later, including transitive dependencies
- Audit application code for any path that constructs URIs from untrusted input
- Add server-side and client-side rejection of CR/LF characters in user-supplied URL fields
Patch Information
The fix is delivered through HTTP.jl 1.10.17 and URIs.jl 1.6.0. URI validation has been centralized in URIs.jl, and HTTP.jl now requires the patched URIs.jl as a dependency. Full details are available in the GitHub Security Advisory GHSA-4g68-4pxg-mw93 and the URIs.jl pull request #66.
Workarounds
- Manually validate URIs before passing them to HTTP.jl functions, rejecting any input containing \r or \n
- Wrap URI construction in a helper that strips or denies CRLF sequences and URL-encoded equivalents
- Restrict user-supplied URI fields to an allowlist of expected schemes, hosts, and characters
# Update Julia dependencies in the project environment
julia --project -e 'using Pkg; Pkg.update(["HTTP", "URIs"]); Pkg.status()'
# Verify minimum patched versions are installed
julia --project -e 'using Pkg; Pkg.status("HTTP"); Pkg.status("URIs")'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
