CVE-2021-39185
📋 TL;DR
This CVE describes a Cross-Origin Resource Sharing (CORS) vulnerability in http4s, a Scala HTTP library. It allows attackers to perform origin reflection attacks and Null Origin attacks, potentially enabling cross-site request forgery (CSRF) and data theft. Users running affected http4s versions with CORS middleware enabled are vulnerable.
💻 Affected Systems
- http4s
📦 What is this software?
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
Http4s by Typelevel
⚠️ Risk & Real-World Impact
Worst Case
Attackers could perform CSRF attacks to execute unauthorized actions on behalf of authenticated users, potentially leading to account takeover, data manipulation, or privilege escalation.
Likely Case
Attackers could bypass CORS protections to make unauthorized cross-origin requests, potentially stealing sensitive data or performing actions on behalf of users.
If Mitigated
With proper CORS configuration validation and origin checking, the attack surface is significantly reduced, though the underlying vulnerability remains.
🎯 Exploit Status
Exploitation requires the attacker to craft malicious web pages that make cross-origin requests to vulnerable http4s endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.21.27, 0.22.3, 0.23.2, 1.0.0-M25 or later
Vendor Advisory: https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6
Restart Required: Yes
Instructions:
1. Identify your http4s version. 2. Update to a patched version using your build tool (sbt, Maven, etc.). 3. Rebuild and redeploy your application. 4. Test CORS functionality.
🔧 Temporary Workarounds
Custom CORS Configuration
allImplement custom CORS middleware with strict origin validation instead of using the default vulnerable configuration.
// Scala code example: Implement custom CORS middleware with explicit allowed origins
Disable CORS Middleware
allTemporarily disable CORS middleware if cross-origin requests are not required for your application.
// Remove or comment out CORS middleware from your http4s application configuration
🧯 If You Can't Patch
- Implement strict origin validation in application-layer code
- Use web application firewall (WAF) rules to block suspicious CORS requests
🔍 How to Verify
Check if Vulnerable:
Check your build.sbt, build.sc, or pom.xml for http4s dependency versions in the vulnerable ranges.Check Version:
sbt 'show http4s-*/*:version' or check build configuration filesVerify Fix Applied:
Verify the updated http4s version in your build configuration and test CORS functionality with known attack patterns.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-origin requests
- Requests with 'null' origin header
- CORS policy violation logs
Network Indicators:
- HTTP requests with suspicious Origin headers
- Cross-origin requests to sensitive endpoints
SIEM Query:
http.request.headers.origin:* AND http.request.headers.origin != "expected-origin"