Welcome to JuliaHub's Trust and Security Portal. Our commitment to data privacy and security is embedded in every part of our business. Use this portal to learn about our security posture and request access to our security documentation.
Documents
Featured Documents
Policies
Policies
We are currently working to make our company policies available. Please contact us for more details.
JuliaHub Security Bulletin: URL injection vulnerabilities.
Summary
Security vulnerabilities have been reported in a few Julia packages: HTTP.jl, Gitforge.jl, Github.jl and Registrator.jl. Updated versions of all these packages with fixes for the known vulnerabilities are now available.
Details of vulnerabilities
-
The
URIs.jl
andHTTP.jl
packages allowed the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack.More information here: https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-4g68-4pxg-mw93
This has been assigned
CVE-2025-52479
A few notes on this particular issue:
- The
Downloads
package in the standard library is NOT vulnerable to this issue. - The forthcoming 2.0 version of
HTTP.jl
is also not vulnerable to this issue.
- The
-
Lack of validation for user provided fields in
GitForge.jl
More information here: https://github.com/JuliaWeb/GitForge.jl/security/advisories/GHSA-g2xx-229f-3qjm
This has been assigned
CVE-2025-50178
-
Command and Argument injection in
Registrator.jl
More information: https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-589r-g8hf-xx59 and https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-w8jv-rg3h-fc68
These have been assigned
CVE-2025-52483
andCVE-2025-52480
Each of these above issues were found by splitline from the DEVCORE Research Team.
-
Lack of validation for user-provide fields in GitHub.jl
More information: https://github.com/JuliaWeb/GitHub.jl/security/advisories/GHSA-jg9p-c3wh-q83x
This has been assigned
CVE-2025-52569
This was found by Dilum Aluthge based on similarities with the issues in GitForge.jl
Impact on the JuliaHub platform
The Registrator.jl vulnerability when stacked on the HTTP.jl and GitForge.jl issues had the potential to create RCE in the JuliaHub platform. The hosted platform on JuliaHub.com was patched within a day of the vulnerability report. This advisory is being released after a few days to allow patched releases of all the related open source packages.
The impact to client instances of the JuliaHub platform (Team, Enterprise, and Self-Managed tiers) is much more limited, since Registrator functionality is available only to existing users authenticated by SSO. Updates to these instances are in process, in coordination with the clients.
We have verified from the logs that we can see no attempt being made to exploit this issue, either on JuliaHub.com or on any of the client instances that we host.
Finally, v6.9.2
of the JuliaHub platform has been released with updated dependencies that patch all these vulnerabilities.
Recommendation to customers
- Upgrade all internal Julia codebases to use HTTP.jl v1.10.16 and URIs.jl v1.6.0 immediately.
- Upgrade to JuliaHub platform v6.9.2 when possible.
Impact of the XZ upstream backdoor vulnerability on Julia and JuliaHub
Summary
A backdoor was identified in the popular XZ data compression library. We do not believe any JuliaHub infrastructure or any Julia users are affected by this issue.
Background
A thread in oss-security mailing list reported that the XZ Utils project was affected by a backdoor: one of the current maintainers of the project appeared to have injected malicious code, included in versions v5.6.0 and v5.6.1 of the xz-utils package, that under certain circumstances could potentially compromise an OpenSSH client and obtain login credentials to remote systems. This issue has been assigned CVE-2024-3094.
Details
The open source Julia ecosystem
The backdoor is added to a binary build of XZ under the following conditions:
- The target system is x86_64-linux-gnu (Linux kernel, on x86_64 architecture, using glibc as standard C library)
- the compiler is GCC
- the build system detects dpkg or rpm are being used
Julia packages use binary builds of native C libraries that are created using our own infrastructure, which are distributed as so-called jll
packages. This build system does not meet condition 3 above, and therefore we believe Julia users who have installed XZ using the Julia package manager are not vulnerable to this backdoor. The announcement of the security exploit in the oss-security mailing list includes a script to detect whether a build of liblzma is vulnerable, by checking a certain pattern is present in the hexadecimal dump of the library. We have verified our builds of liblzma.so
in XZ_jll
v5.6.0
and v5.6.1
do not contain the known pattern. Please talk to your JuliaHub support contact if you want to run this analysis yourself.
In the abundance of caution however, the XZ_jll
package versions 5.6.0
and 5.6.1
have been removed from the Julia package registry. They can no longer be installed – users are able to install only versions up to 5.4.6
.
The Juliahub Platform
All JuliaHub platform servers and container images are derived from Debian stable. The vulnerable packages were only added to Debian unstable, and therefore did not make it into any of our builds or images.
JuliaHub enterprise customers should talk to their support contacts if they need any assistance in extracting the list of users who have installed XZ versions v5.6.0 and v5.6.1 from the logs. Again, this is only for an abundance of caution, as we do not believe those users are vulnerable.
Acknowledgements
- The original announcement by Andres Freund: https://www.openwall.com/lists/oss-security/2024/03/29/4
- The Julia ecosystem bulletin by Mosè Giordano: https://discourse.julialang.org/t/psa-backdoor-in-xz-utils-and-relevance-for-the-julia-ecosystem/112328