Search
Search is not available in local development.
Run npx pagefind --site __site after building to enable it.
JLSEC-2026-613

Redirect credential leakage across scheme/port in HTTP.jl

JLSEC Published
Modified
Affected Packages
HTTP < 2.4.0
Aliases / Upstream
ANT-2026-5F0FFVVR ANT-2026-5HZS0066 ANT-2026-8SP7TV55 ANT-2026-GM4FVXDB ANT-2026-HTKXQYJX ANT-2026-K7VHJB7S ANT-2026-MBWGTHMA ANT-2026-PW5H10EB ANT-2026-R3BBBRAW ANT-2026-WB9V4R8Q

Description

Redirect handling decided whether to retain credential-bearing headers (Authorization, Cookie, Proxy-Authorization, etc.) by comparing only the hostname, ignoring scheme and port. As a result an httpshttp downgrade or a same-host/different-port redirect was treated as same-origin and replayed credentials over plaintext or to a different service. Additionally, per-call cookies= cookies were captured once and re-appended on every hop even after the Cookie header was stripped, and the TLS verification host was pinned to the original host across redirects.

Impact

Following an attacker-influenced redirect could disclose a client's credentials or cookies to a different origin (different scheme or port) than the one they were intended for, including over plaintext.

Patches

Fixed in HTTP.jl v2.4.0. Sensitive-header retention now requires matching scheme and port (with default-port normalization) in addition to the existing host/subdomain check, cross-origin hops also clear the explicit cookies= vector so they are not re-attached, and the SNI/verification host is recomputed from the redirect target on every hop unless the caller explicitly pinned server_name.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.

References