GHSA-54w6-vxfh-fw7f
HIGHHttp4s improperly parses User-Agent and Server headers
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
org.http4s:http4s-core_2.13☕org.http4s:http4s-core_2.13☕org.http4s:http4s-core_2.13☕org.http4s:http4s-core_2.13☕org.http4s:http4s-core_2.10☕org.http4s:http4s-core_2.11☕org.http4s:http4s-core_2.12☕org.http4s:http4s-core_2.12+2 moreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The User-Agent and Server header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers.
v0.21.x
val unsafe: Option[`User-Agent`] = req.headers.get(`User-Agent`)
v0.22.x, v0.23.x, v1.x
val unsafe: Option[`User-Agent`] = req.headers.get[`User-Agent`]
val alsoUnsafe: Option[`Server`] = req.headers.get[Server]
Patches
Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38.
Workarounds
Use the weakly typed header interface
v0.21.x
val safe: Option[Header] = req.headers.get("User-Agent".ci)
// but don't do this
val unsafe = header.map(_.parsed)
v0.22.x, v0.23.x, v1.x
val safe: Option[Header] = req.headers.get(ci"User-Agent")
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.http4s:http4s-core_2.13 | ≥ 0.1.0&&< 0.21.34 | 0.21.34 |
| ☕Maven | org.http4s:http4s-core_2.13 | ≥ 0.22.0&&< 0.22.15 | 0.22.15 |
| ☕Maven | org.http4s:http4s-core_2.13 | ≥ 0.23.0&&< 0.23.17 | 0.23.17 |
| ☕Maven | org.http4s:http4s-core_2.13 | ≥ 1.0.0-M1&&< 1.0.0-M38 | 1.0.0-M38 |
| ☕Maven | org.http4s:http4s-core_2.10 | ≥ 0.1.0 | No fix |
| ☕Maven | org.http4s:http4s-core_2.11 | ≥ 0.1.0 | No fix |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.http4s:http4s-core_2.13. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.http4s:http4s-core_2.13 to 0.21.34 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-54w6-vxfh-fw7f is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-54w6-vxfh-fw7f is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-54w6-vxfh-fw7f. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-54w6-vxfh-fw7f in your dependencies?
O3 detects GHSA-54w6-vxfh-fw7f across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.