Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.http4s:http4s-server_2.13.0-M5(Maven) | 0 | N/A | N/A |
| org.http4s:http4s-server_3(Maven) | 0.22.0 | 0.22.3 | N/A |
| org.http4s:http4s-server_3(Maven) | 0.23.0 | 0.23.2 | N/A |
| org.http4s:http4s-server_2.10(Maven) | 0 | N/A | N/A |
| org.http4s:http4s-server_2.11(Maven) | 0 | N/A | N/A |
| org.http4s:http4s-server_2.12(Maven) | 0 | 0.21.27 | N/A |
| org.http4s:http4s-server_2.12(Maven) | 0.22.0 | 0.22.3 | N/A |
| org.http4s:http4s-server_2.12(Maven) | 0.23.0 | 0.23.2 | N/A |
| org.http4s:http4s-server_2.13(Maven) | 0 | 0.21.27 | N/A |
| org.http4s:http4s-server_2.13(Maven) | 0.22.0 | 0.22.3 | N/A |
| org.http4s:http4s-server_2.13(Maven) | 0.23.0 | 0.23.2 | N/A |
CVSS Metrics
