Security Advisories

This page lists http4k security advisories.

Report a security vulnerability

To report a security vulnerability for a project within the http4k ecosystem, see the Security Policy
CVE-2026-54148: DigestAuthProvider.verify did not bind to request URI

June 6st 2026

A captured Digest authentication response could be replayed against any other URL served by the same realm, breaking the per-request-URL binding the Digest scheme assumes.

Read More
CVE-2026-54147: DigestAuthProvider.verify ignored configured algorithm

June 6st 2026

The configured `algorithm` parameter was silently ignored; every verification used MD5 regardless of configuration, exposing deployments to MD5's collision weaknesses.

Read More
CVE-2026-53659: Unbounded gzip decompression allowed memory-exhaustion DoS

June 6st 2026

A small malicious gzip-encoded request body could decompress to gigabytes, exhausting the JVM heap and denying service to other clients.

Read More
CVE-2024-55875: XXE(XML External Entity Injection) vulnerability

December 12st 2024

XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents

Read More
pumb
scarf