GHSA-5vcm-3xc3-w7x3 · Severity: high · Ecosystem: maven — Response Splitting from unsanitized headers
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
Conclusion & alert: CVE-2021-41084 is rated High Exploit Risk (72.9/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.20%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.45% | 1.20% | +0.74% |
| 2 | 2025-11-21 | 0.42% | 0.45% | +0.03% |
| 3 | 2025-11-18 | — | 0.42% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.7 | 3.1 | HIGH |
|
2.2 | 5.8 | [email protected] |
| 4.7 | 3.1 | MEDIUM |
|
2.8 | 1.4 | [email protected] |
| 4.3 | 2.0 | MEDIUM |
|
8.6 | 2.9 | [email protected] |
GHSA-5vcm-3xc3-w7x3 · Severity: high · Ecosystem: maven — Response Splitting from unsanitized headers
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| typelevel | http4s | < 0.21.29 | cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:* |
| typelevel | http4s | >= 0.22.0, < 0.22.5 | cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:* |
| typelevel | http4s | >= 0.23.0, < 0.23.4 | cpe:2.3:a:typelevel:http4s:*:*:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone1:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone10:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone11:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone12:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone13:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone14:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone15:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone16:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone17:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone18:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone19:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone2:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone20:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone21:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone22:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone23:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone24:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone25:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone26:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone3:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone4:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone5:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone6:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone7:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone8:*:*:*:*:*:* |
| typelevel | http4s | 1.0.0 | cpe:2.3:a:typelevel:http4s:1.0.0:milestone9:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8 | Patch Third Party Advisory |
| https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3 | Exploit Third Party Advisory |
| https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values | Vendor Advisory |
| https://owasp.org/www-community/attacks/HTTP_Response_Splitting | Third Party Advisory |