CVE-2025-59822: 
Java vulnerability analysis and mitigation

CVE-2025-59822 affects Http4s, a Scala interface for HTTP services, in versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31. The vulnerability is related to HTTP Request Smuggling due to improper handling of HTTP trailer section. The issue was discovered and disclosed on September 23, 2025 (NVD, GitHub Advisory).

The vulnerability stems from a bug in the HTTP chunked message parser's handling of the trailer section. After parsing the last body chunk, the parseTrailers method is called, which uses Parser.parse where the vulnerability originates. The parser has a flaw that allows termination before finding the double CRLF condition, specifically when encountering a header line without a colon character. The CVSS v4.0 base score is 6.3 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability could enable attackers to bypass front-end servers security controls, launch targeted attacks against active users, and poison web caches. The exploitation requires the web application to be deployed behind a reverse-proxy that forwards trailer headers (GitHub Advisory).

The vulnerability has been patched in versions 1.0.0-M45 and 0.23.31. Users are advised to upgrade to these patched versions to mitigate the risk (GitHub Advisory).