{"id":"CVE-2021-39185","details":"Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.","aliases":["GHSA-52cf-226f-rhr6"],"modified":"2026-03-13T22:48:28.784537Z","published":"2021-09-01T20:15:07.447Z","related":["GHSA-52cf-226f-rhr6"],"references":[{"type":"ADVISORY","url":"https://github.com/http4s/http4s/releases/tag/v0.23.2"},{"type":"FIX","url":"https://github.com/http4s/http4s/security/advisories/GHSA-52cf-226f-rhr6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/http4s/http4s","events":[{"introduced":"0"},{"last_affected":"6264fa05386925afd82942976f5606b1d8181099"},{"introduced":"3e98ea4a63e741c7f9d5e917d48d2ee8fab54476"},{"last_affected":"cf77cfeb2d0bd09337da0b64a636e29bbfb77d27"},{"introduced":"0"},{"last_affected":"06db471f053023ce3ffd7c568ce46d33551d1d69"},{"introduced":"0"},{"last_affected":"c18c9b3dbb60be3f52d2ed3d74804158bee3b9f5"},{"introduced":"0"},{"last_affected":"756ce63aee681c5b632bbeafe0b8fde2f3d237f4"},{"introduced":"0"},{"last_affected":"d68768bb0936ff8fd1b95bb2d2f006d4d92b627b"},{"introduced":"0"},{"last_affected":"a6edc034138f758697a93aa4985e3621e12a2314"},{"introduced":"0"},{"last_affected":"a8189fc3c885dead089f857728b8d2b20361af6d"},{"introduced":"0"},{"last_affected":"96c1fbefc08b58922bab72f4c0503cf393cdb13d"},{"introduced":"0"},{"last_affected":"bef11333d4e7f85b0387c979f1b30fe91331f313"},{"introduced":"0"},{"last_affected":"5e7be4846286f43a19c801ff9e77a376a35a5378"},{"introduced":"0"},{"last_affected":"8f52735b5362395c86acb3d33c51b9dc3551aa4f"},{"introduced":"0"},{"last_affected":"b4beb2ac80a19ec31a843d7c80c1eff89b682a46"},{"introduced":"0"},{"last_affected":"da5224d0754579c7d8a845f13dbbcb4754aa396d"},{"introduced":"0"},{"last_affected":"cfc696d96e8f1419449bc5cf53f8d394f76cf1b2"},{"introduced":"0"},{"last_affected":"d980b0b88a42026f942c048c6097f92f78ad52f2"},{"introduced":"0"},{"last_affected":"94e23b89b520efb022842fbd404484c674222d2a"},{"introduced":"0"},{"last_affected":"c0165bc83e7f802b7fe9e50aba8bd1fd589d3e2e"},{"introduced":"0"},{"last_affected":"493d5091a891958e24c954c365ac91498106b229"},{"introduced":"0"},{"last_affected":"6227ad21e0ddc372e433d279a7cdde387b0b0e3e"},{"introduced":"0"},{"last_affected":"96f5a9f1c77bf3180d1144d4c040ef3b84af6a99"},{"introduced":"0"},{"last_affected":"cb6639a21181c460af8fd55a8c6326cb37da791f"},{"introduced":"0"},{"last_affected":"6b0d5130177eb7af03c3979b5cf99af70f452fc7"},{"introduced":"0"},{"last_affected":"45c90d58c98e4153e6ed6a355199a394f026d092"},{"introduced":"0"},{"last_affected":"20d0457c207a6e139b47b601fe4aca00c7ec05cf"},{"introduced":"0"},{"last_affected":"83e7ceb76f0a46ba27efd6c1a3b90bd1b2b8fca6"},{"introduced":"0"},{"last_affected":"490f74b689ce543a133c7e033b60cbb94cb9d539"},{"introduced":"0"},{"last_affected":"6676c1e24a4e32e0c6c1a36911f4e6606c10e12b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.21.26"},{"introduced":"0.22.0"},{"last_affected":"0.22.2"},{"introduced":"0"},{"last_affected":"0.23.0"},{"introduced":"0"},{"last_affected":"0.23.1"},{"introduced":"0"},{"last_affected":"1.0.0-milestone1"},{"introduced":"0"},{"last_affected":"1.0.0-milestone10"},{"introduced":"0"},{"last_affected":"1.0.0-milestone11"},{"introduced":"0"},{"last_affected":"1.0.0-milestone12"},{"introduced":"0"},{"last_affected":"1.0.0-milestone13"},{"introduced":"0"},{"last_affected":"1.0.0-milestone14"},{"introduced":"0"},{"last_affected":"1.0.0-milestone15"},{"introduced":"0"},{"last_affected":"1.0.0-milestone16"},{"introduced":"0"},{"last_affected":"1.0.0-milestone17"},{"introduced":"0"},{"last_affected":"1.0.0-milestone18"},{"introduced":"0"},{"last_affected":"1.0.0-milestone19"},{"introduced":"0"},{"last_affected":"1.0.0-milestone2"},{"introduced":"0"},{"last_affected":"1.0.0-milestone20"},{"introduced":"0"},{"last_affected":"1.0.0-milestone21"},{"introduced":"0"},{"last_affected":"1.0.0-milestone22"},{"introduced":"0"},{"last_affected":"1.0.0-milestone23"},{"introduced":"0"},{"last_affected":"1.0.0-milestone24"},{"introduced":"0"},{"last_affected":"1.0.0-milestone3"},{"introduced":"0"},{"last_affected":"1.0.0-milestone4"},{"introduced":"0"},{"last_affected":"1.0.0-milestone5"},{"introduced":"0"},{"last_affected":"1.0.0-milestone6"},{"introduced":"0"},{"last_affected":"1.0.0-milestone7"},{"introduced":"0"},{"last_affected":"1.0.0-milestone8"},{"introduced":"0"},{"last_affected":"1.0.0-milestone9"}]}}],"versions":["v0.21.26","v0.22.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-39185.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}