HTTP Request Smuggling Vulnerability in Http4s by Http4s
CVE-2025-59822

6.3MEDIUM

Key Information:

Vendor: Http4s
Status: Http4s
Vendor: CVE Published:; 23 September 2025

What is CVE-2025-59822?

Http4s, a popular Scala interface for HTTP services, is susceptible to HTTP Request Smuggling due to improper processing of the HTTP trailer section. This flaw allows attackers to circumvent front-end server security measures, execute targeted assaults on active users, and infect web caches. Exploitation requires that the web application be positioned behind a reverse-proxy capable of relaying trailer headers. The vulnerability has been rectified in versions 1.0.0-M45 and 0.23.31.

Affected Version(s)

http4s < 0.23.31 < 0.23.31

http4s >= 1.0.0-M1, < 1.0.0-M45 < 1.0.0-M1, 1.0.0-M45

References

https://github.com/http4s/http4s/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/http4s/http4s/commit/dd518f7c967e51658...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2025
Vulnerability Reserved
Sep 22, 2025

JSON