Search
Search is not available in local development.
Run npx pagefind --site __site after building to enable it.
JLSEC-2026-622

Predictable WebSocket masking key and handshake nonce in HTTP.jl client

JLSEC Published
Modified
Affected Packages
HTTP < 2.4.0
Aliases / Upstream
ANT-2026-90M07PW7 ANT-2026-K6WWQH2N ANT-2026-ZQ6ARSMP

Description

The WebSocket client masking key (ws_send_frame!) and the Sec-WebSocket-Key handshake nonce (ws_random_handshake_key) were generated with rand(UInt8, n), which draws from the task-local Xoshiro256++ PRNG. Xoshiro is not cryptographically secure: its internal state can be recovered from a short run of observed outputs, and every outbound client frame exposes 4 mask bytes on the wire. An on-path observer could therefore recover the RNG state and predict all future masking keys, defeating the RFC 6455 ยง5.3 anti-cache-poisoning purpose of masking.

Impact

Predictable masking keys could let an on-path attacker who also supplies payload craft wire bytes that a non-conformant transparent proxy parses and caches (request/response smuggling and cache poisoning).

Patches

Fixed in HTTP.jl v2.4.0. A module-level CSPRNG (const WS_CSPRNG = Random.RandomDevice()) now generates both the 4-byte masking key and the 16-byte handshake nonce. The wire format and public API are unchanged.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.

References