Search
Search is not available in local development.
Run npx pagefind --site __site after building to enable it.
JLSEC-2026-621

Thread-safety and out-of-bounds reads in the HTTP.jl content-type sniffer

JLSEC Published
Modified
Affected Packages
HTTP < 2.4.0
Aliases / Upstream
ANT-2026-07KFWYV3 ANT-2026-5FMZ73VG ANT-2026-9PKP3RJA

Description

The content-type sniffer had two memory/concurrency bugs. Number sniffing in isjson stored the strtod end-pointer out-parameter in a shared module-global Vector{Ptr{UInt8}}; concurrent sniff calls on a multithreaded server raced on that single cell between the ccall and the subsequent read, producing a non-deterministic consumed length and parse result an attacker could use to influence content-type classification. The bytes handed to jl_strtod_c were also not NUL-terminated, so strtod could read past the provided buffer. Separately, the MP4 ftyp matcher iterated comparison windows under @inbounds with a loop bound that, when boxsize == length(data), read up to three bytes past the end of the buffer.

Impact

On a multithreaded server, attacker-influenced input could non-deterministically affect content-type classification, and crafted buffers could trigger out-of-bounds heap reads (crash or potential information disclosure).

Patches

Fixed in HTTP.jl v2.4.0. The shared global is removed in favor of a per-call Ref; numeric input is copied into a freshly allocated NUL-terminated buffer so strtod is bounded; and the MP4 matcher's loop upper bound is clamped so every comparison window lies fully within the buffer.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.

References