Skip to content

Fatal error parsing User-Agent and Server headers

High
rossabaker published GHSA-54w6-vxfh-fw7f Jan 4, 2023

Package

maven org.http4s :: http4s-core (Maven)

Affected versions

0.1.0 through 0.21.33
0.22.0 through 0.22.14
0.23.0 through 0.23.16
1.0.0-M1 through 1.0.0-M37

Patched versions

0.21.34
0.22.15
0.23.17
1.0.0-M38

Description

Impact

The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers.

v0.21.x

val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`)

v0.22.x, v0.23.x, v1.x

val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`]
val alsoUnsafe: Option[`Server`] = req.headers.get[Server]

Patches

Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38.

Workarounds

Use the weakly typed header interface

v0.21.x
val safe: Option[Header] = req.headers.get("User-Agent".ci)
// but don't do this
val unsafe = header.map(_.parsed) 
v0.22.x, v0.23.x, v1.x
val safe: Option[Header] = req.headers.get(ci"User-Agent")

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-22465

Weaknesses

No CWEs