Information Exposure Affecting org.http4s:http4s-core package, versions [0.21.7, 0.21.24) [0.22.0-M1, 0.22.0-RC1) [0.23.0-M1, 0.23.0-RC1) [1.0.0-M2, 1.0.0-M23)

  • Attack Complexity


  • Scope


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    28 May 2021

  • disclosed

    28 May 2021

  • credit


How to fix?

Upgrade org.http4s:http4s-core to version 0.21.24, 0.22.0-RC1, 0.23.0-RC1, 1.0.0-M23 or higher.


org.http4s:http4s-core is a Core http4s library for servers and clients

Affected versions of this package are vulnerable to Information Exposure. Http4s is a Scala interface for HTTP services. StaticFile.fromUrl can leak the presence of a directory on a server when the URL scheme is not file://, and the URL points to a fetchable resource under its scheme and authority. The function returns F[None], indicating no resource, if url.getFile is a directory, without first checking the scheme or authority of the URL.

If a URL connection to the scheme and URL would return a stream, and the path in the URL exists as a directory on the server, the presence of the directory on the server could be inferred from the 404 response.
The contents and other metadata about the directory are not exposed.