Search
Search is not available in local development.
Run npx pagefind --site __site after building to enable it.
JLSEC-2026-617

Open redirect in the HTTP.jl static file server canonical redirects

JLSEC Published
Modified
Affected Packages
HTTP < 2.4.0
Aliases / Upstream
ANT-2026-59AETZK3 ANT-2026-APXT86GW

Description

The static file server's canonical 301 redirects (index-file strip, directory trailing-slash add, and file trailing-slash strip) built the Location header verbatim from the un-normalized request target. Request-target validation only requires a leading /, has no CTL bytes, and the .. check plus segment decoding drop empty segments, so a target like //evil.example/index.html or /\evil.example/ survived validation and produced a Location such as //evil.example/ — a scheme-relative network-path reference (RFC 3986 §4.2) that browsers resolve to a foreign authority.

Impact

A crafted request to the file server could produce a redirect to an attacker-controlled host (open redirect).

Patches

Fixed in HTTP.jl v2.4.0. A new _sanitize_redirect_location collapses any leading run of / or \` separators down to a single/, re-rooting theLocationat the server's own origin so it can never carry an authority component (backslashes are treated as separators because browsers normalize` to /). Every canonical-redirect branch routes its Location through the sanitizer; single-rooted local paths are unchanged.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.

References