CVE-2023-22465 HIGH

CVE-2023-22465: Http4s has fatal error parsing User-Agent and Server headers

Vendor Http4S

Product http4s

Weakness CWE-20 · Input validation

Published January 4, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.

Key dates

02Disclosure timeline

January 4, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-22465 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2023-22465

CWE CWE-20

CVSS 7.5 / HIGH

Affected versions

Vendor Http4S

Product http4s

Affected >= 0.1.0, < 0.21.34

Vendor Http4S

Product http4s

Affected >= 0.22.0, < 0.22.15

Vendor Http4S

Product http4s

Affected >= 0.23.0, < 0.23.17

Vendor Http4S

Product http4s

Affected >= 1.0.0-M1, < 1.0.0-M38

CVE-2023-22465: Http4s has fatal error parsing User-Agent and Server headers

01Description

02Disclosure timeline

03References

04Related CVE