HTTP Request Smuggling in Http4s <1.0.0-M45 & <0.23.31 Trailer Handling
CVE-2025-59822 Published on September 23, 2025

Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section
Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. A pre-requisite for exploitation involves the web application being deployed behind a reverse-proxy that forwards trailer headers. This issue has been patched in versions 1.0.0-M45 and 0.23.31.

Github Repository NVD

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2025-59822 has been classified to as a HTTP Request Smuggling vulnerability or weakness.


Affected Versions

http4s:

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-59822

Package Manager Vulnerable Package Versions Fixed In
maven org.http4s:http4s-ember-core_2.12 < 0.23.31 0.23.31
maven org.http4s:http4s-ember-core_2.13 < 0.23.31 0.23.31
maven org.http4s:http4s-ember-core_3 < 0.23.31 0.23.31
maven org.http4s:http4s-ember-core_2.13 >= 1.0.0-M1, < 1.0.0-M45 1.0.0-M45
maven org.http4s:http4s-ember-core_3 >= 1.0.0-M1, < 1.0.0-M45 1.0.0-M45

Exploit Probability

EPSS
0.07%
Percentile
20.65%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.