Description

The URIs.jl and HTTP.jl packages allowed the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack.

With this simple Julia code, you can inject a custom header named Foo with the value bar:

import HTTP

HTTP.get("http://localhost:1337/ HTTP/1.1\r\nFoo: bar\r\nbaz:")

The server will receive the request like this:

➜ ncat -klp 1337
GET / HTTP/1.1
Foo: bar <-- injected header!
baz: HTTP/1.1
Host: locahost:1337
Accept: */*
User-Agent: HTTP.jl/1.11.5
Content-Length: 0
Accept-Encoding: gzip

Impact

Inject headers or inject data to the request body and cause “HTTP response splitting”.

Patches

Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17. All prior versions are vulnerable.

Users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. All prior versions are vulnerable.

The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix.

Workarounds

Manually validate any URIs before passing them on to functions in this package.

References

Fixed by: JuliaWeb/URIs.jl#66 (which is available in URIs.jl v1.6.0).

Credits

Thanks to splitline from the DEVCORE Research Team for reporting this issue.