CVE-2025-61689 HIGH

CVE-2025-61689: HTTP.jl vulnerable to Header injection/Response splitting via header construction.

Vendor Juliaweb
Product HTTP.jl
Weakness CWE-113 · HTTP response splitting
Published October 10, 2025
Last update October 10, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P

What the vulnerability does

01Description

HTTP.jl is an HTTP client and server functionality for the Julia programming language. Prior to version 1.10.19, HTTP.jl did not validate header names/values for illegal characters, allowing CRLF-based header injection and response splitting. This enables HTTP response splitting and header injection, leading to cache poisoning, XSS, session fixation, and more. This issue is fixed in HTTP.jl `v1.10.19`.

Key dates

02Disclosure timeline

October 10, 2025 CVE published
October 10, 2025 Record updated