Search
Search is not available in local development.
Run npx pagefind --site __site after building to enable it.
JLSEC-2026-615

Cookie jar accepts Secure/__Host-/__Secure- cookies from non-secure origins in HTTP.jl

JLSEC Published
Modified
Affected Packages
HTTP < 2.4.0
Aliases / Upstream
ANT-2026-9G63DER3 ANT-2026-GY6HYQTG ANT-2026-ZK96ACV8

Description

setcookies! stored every parsed Set-Cookie after only checking that the response scheme was http or https, with no protection symmetric to the read path (shouldsend, which already withholds Secure cookies from non-secure requests). A plaintext (http) origin could therefore plant a Secure cookie, plant a __Secure-/__Host--prefixed cookie, or overwrite/delete (via Max-Age=-1) an existing Secure cookie set over https, enabling cookie fixation against hosts that mix http and https.

Impact

A network attacker or malicious http origin could set, overwrite, or delete security-sensitive cookies in the client's cookie jar, enabling cookie fixation.

Patches

Fixed in HTTP.jl v2.4.0. Per RFC 6265bis, setcookies! now drops any Secure cookie arriving over a non-secure scheme, enforces the __Secure- and __Host- name prefixes (evaluated ASCII case-insensitively on the raw attributes), and refuses to overwrite or delete an existing Secure cookie of the same domain;path;name identity from a non-secure origin. Behavior over https is unchanged.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.

References