Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original CORS implementation and CORSConfig are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.
Weakness
The product does not properly verify that the source of data or communication is valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Http4s | Typelevel | * | 0.21.26 (including) |
| Http4s | Typelevel | 0.22.0 (including) | 0.22.2 (including) |
| Http4s | Typelevel | 0.23.0 (including) | 0.23.0 (including) |
| Http4s | Typelevel | 0.23.1 (including) | 0.23.1 (including) |
| Http4s | Typelevel | 1.0.0-milestone1 (including) | 1.0.0-milestone1 (including) |
| Http4s | Typelevel | 1.0.0-milestone10 (including) | 1.0.0-milestone10 (including) |
| Http4s | Typelevel | 1.0.0-milestone11 (including) | 1.0.0-milestone11 (including) |
| Http4s | Typelevel | 1.0.0-milestone12 (including) | 1.0.0-milestone12 (including) |
| Http4s | Typelevel | 1.0.0-milestone13 (including) | 1.0.0-milestone13 (including) |
| Http4s | Typelevel | 1.0.0-milestone14 (including) | 1.0.0-milestone14 (including) |
| Http4s | Typelevel | 1.0.0-milestone15 (including) | 1.0.0-milestone15 (including) |
| Http4s | Typelevel | 1.0.0-milestone16 (including) | 1.0.0-milestone16 (including) |
| Http4s | Typelevel | 1.0.0-milestone17 (including) | 1.0.0-milestone17 (including) |
| Http4s | Typelevel | 1.0.0-milestone18 (including) | 1.0.0-milestone18 (including) |
| Http4s | Typelevel | 1.0.0-milestone19 (including) | 1.0.0-milestone19 (including) |
| Http4s | Typelevel | 1.0.0-milestone2 (including) | 1.0.0-milestone2 (including) |
| Http4s | Typelevel | 1.0.0-milestone20 (including) | 1.0.0-milestone20 (including) |
| Http4s | Typelevel | 1.0.0-milestone21 (including) | 1.0.0-milestone21 (including) |
| Http4s | Typelevel | 1.0.0-milestone22 (including) | 1.0.0-milestone22 (including) |
| Http4s | Typelevel | 1.0.0-milestone23 (including) | 1.0.0-milestone23 (including) |
| Http4s | Typelevel | 1.0.0-milestone24 (including) | 1.0.0-milestone24 (including) |
| Http4s | Typelevel | 1.0.0-milestone3 (including) | 1.0.0-milestone3 (including) |
| Http4s | Typelevel | 1.0.0-milestone4 (including) | 1.0.0-milestone4 (including) |
| Http4s | Typelevel | 1.0.0-milestone5 (including) | 1.0.0-milestone5 (including) |
| Http4s | Typelevel | 1.0.0-milestone6 (including) | 1.0.0-milestone6 (including) |
| Http4s | Typelevel | 1.0.0-milestone7 (including) | 1.0.0-milestone7 (including) |
| Http4s | Typelevel | 1.0.0-milestone8 (including) | 1.0.0-milestone8 (including) |
| Http4s | Typelevel | 1.0.0-milestone9 (including) | 1.0.0-milestone9 (including) |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/141.html
- https://cwe.mitre.org/data/definitions/142.html
- https://cwe.mitre.org/data/definitions/160.html
- https://cwe.mitre.org/data/definitions/21.html
- https://cwe.mitre.org/data/definitions/384.html
- https://cwe.mitre.org/data/definitions/385.html
- https://cwe.mitre.org/data/definitions/386.html
- https://cwe.mitre.org/data/definitions/387.html
- https://cwe.mitre.org/data/definitions/388.html
- https://cwe.mitre.org/data/definitions/510.html
- https://cwe.mitre.org/data/definitions/59.html
- https://cwe.mitre.org/data/definitions/60.html
- https://cwe.mitre.org/data/definitions/75.html
- https://cwe.mitre.org/data/definitions/76.html
- https://cwe.mitre.org/data/definitions/89.html