Description
Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.
Remediation
References
https://github.com/http4s/http4s/security/advisories/GHSA-54w6-vxfh-fw7f
Related Vulnerabilities
CVE-2022-25898 Vulnerability in maven package org.webjars.bower:jsrsasign
CVE-2018-16487 Vulnerability in maven package org.webjars.npm:lodash.merge
CVE-2020-8125 Vulnerability in maven package org.webjars.npm:klona
CVE-2021-38294 Vulnerability in maven package org.apache.storm:storm-server
CVE-2023-49447 Vulnerability in maven package com.jfinal:jfinal