Security vulnerabilities have been reported in a few Julia packages. We recommend all users upgrade to the latest version of these packages as soon as possible. Each vulnerability has been assigned a CVE and published as a GitHub Security Advisory.
-
The URIs.jl and HTTP.jl packages allowed the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack.
More information here: CR/LF injection in URIs.jl (also affects HTTP.jl) · Advisory · JuliaWeb/HTTP.jl · GitHub
This has been assigned CVE-2025-52479
A couple of notes on this particular issue:
- The Downloads.jl package in the standard library is NOT vulnerable to this issue.
- The forthcoming 2.0 version of HTTP.jl is also not vulnerable to this issue.
-
Lack of validation for user-provided fields in GitForge.jl
More information here: Lack of validation for user-provided fields in GitForge.jl · Advisory · JuliaWeb/GitForge.jl · GitHub
This has been assigned CVE-2025-50178
-
Command and argument injection in Registrator.jl.
More information here : Command injection in `withpasswd()` function in Registrator.jl · Advisory · JuliaRegistries/Registrator.jl · GitHub and here: Argument injection in `gettreesha()` function in Registrator.jl · Advisory · JuliaRegistries/Registrator.jl · GitHub
These have been assigned CVE-2025-52483 and CVE-2025-52480 respectively
Each of these three issues were found by splitline from the DEVCORE Research Team. We thank them for their well-researched report and responsible disclosure.
-
Lack of validation for user-provided fields in GitHub.jl
More information: Lack of validation for user-provided fields in GitHub.jl · Advisory · JuliaWeb/GitHub.jl · GitHub
This has been assigned CVE-2025-52569
This was found by Dilum Aluthge based on similarities with the issues in GitForge.jl.
We recommend everyone move to the latest versions of each of these packages as soon as possible. In particular, if you are using Registrator.jl in your organisations, you should upgrade immediately. The combination of the first three issues can cause remote code execution inside a Registrator instance.
The web registrator on Juliahub.com and the GitHub registrator comment-bot have both been patched.
Thanks to Tanmay, Nishanth, and Dilum in helping triage and fix these issues.