Every advisory below ships with the full story - root cause, affected versions, fix, and a timestamped timeline from discovery to disclosure. No quiet patches, no buried CVEs.
Disclose privately via GitHub Security Advisories or [email protected]. We respond fast - see the timelines below.
How we triage, fix and disclose vulnerabilities responsibly. Read the full policy.
Public cosign keys for verifying http4k artifact signatures and provenance.
CVE-2026-53659: Unbounded gzip decompression allowed memory-exhaustion DoS
A small malicious gzip-encoded request body could decompress to gigabytes, exhausting the JVM heap and denying service to other clients.
CVE-2026-54147: DigestAuthProvider.verify ignored configured algorithm
The configured `algorithm` parameter was silently ignored; every verification used MD5 regardless of configuration, exposing deployments to MD5's …
CVE-2026-54148: DigestAuthProvider.verify did not bind to request URI
A captured Digest authentication response could be replayed against any other URL served by the same realm, breaking the per-request-URL binding the …
CVE-2024-55875: XXE(XML External Entity Injection) vulnerability
XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents
We run proactive, LLM-assisted security audits across the entire http4k codebase - putting frontier models in the ring against all 200+ modules to surface issues before anyone in the wild does. Several of the advisories above came straight out of that programme, including bugs quietly present since 2017. Software that claims zero vulnerabilities usually just isn't looking.
Read "Tale of the tape: Claude vs http4k" →