CVE-2025-59822

high-risk
Published 2025-09-23

Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (20)

Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S
Http4S

Affected Vendors

Typelevel

References (3)

Patch https://github.com/http4s/http4s/commit/dd518f7c967e5165813b8d4a48a82b8fab852d41
Exploit https://github.com/http4s/http4s/security/advisories/GHSA-wcwh-7gfw-5wrr
Exploit https://github.com/http4s/http4s/security/advisories/GHSA-wcwh-7gfw-5wrr
51
/ 100
high-risk
Severity 26/34 · High
Exploitability 0/34 · Minimal
Exposure 25/34 · High