// SECURITY

We do our security homework in public.

Every advisory below ships with the full story - root cause, affected versions, fix, and a timestamped timeline from discovery to disclosure. No quiet patches, no buried CVEs.

REPORT

Found something?

Disclose privately via GitHub Security Advisories or [email protected]. We respond fast - see the timelines below.

CVD POLICY

Coordinated disclosure

How we triage, fix and disclose vulnerabilities responsibly. Read the full policy.

SIGNING KEYS

Verify our artifacts

Public cosign keys for verifying http4k artifact signatures and provenance.

// ADVISORIES

Published security advisories

4 advisories · newest first
Severity
Advisory
Disclosed
HIGH

CVE-2026-53659: Unbounded gzip decompression allowed memory-exhaustion DoS

A small malicious gzip-encoded request body could decompress to gigabytes, exhausting the JVM heap and denying service to other clients.

16 Jun 2026
MODERATE

CVE-2026-54147: DigestAuthProvider.verify ignored configured algorithm

The configured `algorithm` parameter was silently ignored; every verification used MD5 regardless of configuration, exposing deployments to MD5's …

16 Jun 2026
HIGH

CVE-2026-54148: DigestAuthProvider.verify did not bind to request URI

A captured Digest authentication response could be replayed against any other URL served by the same realm, breaking the per-request-URL binding the …

16 Jun 2026
HIGH

CVE-2024-55875: XXE(XML External Entity Injection) vulnerability

XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents

12 Dec 2024
// PROACTIVE LLM SECURITY AUDITS

We don't wait for someone to find the bug.

We run proactive, LLM-assisted security audits across the entire http4k codebase - putting frontier models in the ring against all 200+ modules to surface issues before anyone in the wild does. Several of the advisories above came straight out of that programme, including bugs quietly present since 2017. Software that claims zero vulnerabilities usually just isn't looking.

Read "Tale of the tape: Claude vs http4k" →
200+
modules reviewed by the audit pass
3
advisories surfaced proactively, then fixed
100%
disclosed publicly, with full timelines
scarf