CVE-2025-59822

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-59822
Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/http4s/http4s/commit/dd518f7c967e5165813b8d4a48a82b8fab852d41 Patch
https://github.com/http4s/http4s/security/advisories/GHSA-wcwh-7gfw-5wrr Exploit Vendor Advisory
https://github.com/http4s/http4s/security/advisories/GHSA-wcwh-7gfw-5wrr Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone27:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone28:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone29:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone30:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone31:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone32:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone33:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone34:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone35:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone36:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone37:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone38:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone39:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone40:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone41:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone42:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone43:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone44:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:*
History

No history.

Information

Published : 2025-09-23 19:15

Updated : 2025-10-08 17:35

NVD link : CVE-2025-59822

Mitre link : CVE-2025-59822

CVE.ORG link : CVE-2025-59822

JSON object : View

Products Affected

typelevel

  • http4s
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')