GHSA-JRPC-7VXP-69P6
Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15Impact
reverseProxy() and reverseProxyRouting() matched configured vhosts by substring on the Host header (Contains matcher) by default. The intended use of these functions in http4k is outbound dispatch (e.g. matching AWS service subdomains, per the Contains docstring) and test-time composition of fake backend networks. In either of those contexts the matched Host is set by the calling application, not by an external attacker, so the loose match has no exploit surface.
If, however, reverseProxy() was deployed as a public-facing inbound HTTP handler — which the function technically supports but is not the documented intent — an external attacker could send Host: admin.evil.com and reach a vhost configured as admin, bypassing routing-based authorization.
The Contains matcher's docstring explicitly documented this loose behaviour, but because Contains was the default, callers who never read the matcher docs would still get the loose behaviour.
Who is affected: only deployments using reverseProxy() / reverseProxyRouting() as a public-facing inbound HTTP handler with two or more configured virtual hosts. The intended outbound / test-time usage is unaffected. If you did deploy reverseProxy() inbound and rely on multi-vhost routing for authorization, treat upgrade as urgent.
Patches
| Line | Fixed in | Edition |
|---|---|---|
| v6.x (Community) | 6.49.0.0 | Community |
| v5.x (LTS) | 5.42.0.0 | Enterprise — contact enterprise@http4k.org (if reverseProxy() is present in your v5.x line) |
| v4.x (LTS) | 4.51.0.0 | Enterprise — contact enterprise@http4k.org (if reverseProxy() is present in your v4.x line) |
The fix changes the default matcher to Exact. Existing callers that genuinely need substring matching (e.g. AWS subdomain dispatch) must explicitly pass matcher = Contains.
Workarounds
For deployments that cannot upgrade immediately: wrap your reverseProxy() with a host-allow-list filter that requires an exact match against expected vhost names before delegating.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 6.48.0.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.http4k:http4k-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0.0"
},
{
"fixed": "6.49.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.http4k:http4k-core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0.0"
},
{
"fixed": "5.42.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.http4k:http4k-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.51.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:15:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`reverseProxy()` and `reverseProxyRouting()` matched configured vhosts by substring on the `Host` header (`Contains` matcher) by default. The intended use of these functions in http4k is **outbound dispatch** (e.g. matching AWS service subdomains, per the `Contains` docstring) and **test-time composition** of fake backend networks. In either of those contexts the matched `Host` is set by the calling application, not by an external attacker, so the loose match has no exploit surface.\n\nIf, however, `reverseProxy()` was deployed as a public-facing inbound HTTP handler \u2014 which the function technically supports but is not the documented intent \u2014 an external attacker could send `Host: admin.evil.com` and reach a vhost configured as `admin`, bypassing routing-based authorization.\n\nThe `Contains` matcher\u0027s docstring explicitly documented this loose behaviour, but because `Contains` was the default, callers who never read the matcher docs would still get the loose behaviour.\n\n**Who is affected:** only deployments using `reverseProxy()` / `reverseProxyRouting()` as a public-facing inbound HTTP handler with two or more configured virtual hosts. The intended outbound / test-time usage is unaffected. If you *did* deploy `reverseProxy()` inbound and rely on multi-vhost routing for authorization, treat upgrade as urgent.\n\n### Patches\n\n| Line | Fixed in | Edition |\n|------|----------|---------|\n| v6.x (Community) | **6.49.0.0** | Community |\n| v5.x (LTS) | **5.42.0.0** | Enterprise \u2014 contact [enterprise@http4k.org](mailto:enterprise@http4k.org) (if `reverseProxy()` is present in your v5.x line) |\n| v4.x (LTS) | **4.51.0.0** | Enterprise \u2014 contact [enterprise@http4k.org](mailto:enterprise@http4k.org) (if `reverseProxy()` is present in your v4.x line) |\n\nThe fix changes the default matcher to `Exact`. Existing callers that genuinely need substring matching (e.g. AWS subdomain dispatch) must explicitly pass `matcher = Contains`.\n\n### Workarounds\n\nFor deployments that cannot upgrade immediately: wrap your `reverseProxy()` with a host-allow-list filter that requires an exact match against expected vhost names before delegating.",
"id": "GHSA-jrpc-7vxp-69p6",
"modified": "2026-06-19T21:15:59Z",
"published": "2026-06-19T21:15:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/http4k/http4k/security/advisories/GHSA-jrpc-7vxp-69p6"
},
{
"type": "WEB",
"url": "https://github.com/http4k/http4k/commit/0121b05537"
},
{
"type": "WEB",
"url": "https://github.com/http4k/http4k/commit/54c6385615"
},
{
"type": "PACKAGE",
"url": "https://github.com/http4k/http4k"
},
{
"type": "WEB",
"url": "https://github.com/http4k/http4k/releases/tag/6.49.0.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact`"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.