Trust & Security

Summary

Security vulnerabilities have been reported in a few Julia packages: HTTP.jl, Gitforge.jl, Github.jl and Registrator.jl. Updated versions of all these packages with fixes for the known vulnerabilities are now available.

Details of vulnerabilities

1. The URIs.jl and HTTP.jl packages allowed the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack.

   More information here: https://github.com/JuliaWeb/HTTP.jl/security/advisories/GHSA-4g68-4pxg-mw93

   This has been assigned CVE-2025-52479

   A few notes on this particular issue:

   • The Downloads package in the standard library is NOT vulnerable to this issue.
   • The forthcoming 2.0 version of HTTP.jl is also not vulnerable to this issue.

2. Lack of validation for user provided fields in GitForge.jl

   More information here: https://github.com/JuliaWeb/GitForge.jl/security/advisories/GHSA-g2xx-229f-3qjm

   This has been assigned CVE-2025-50178

3. Command and Argument injection in Registrator.jl

   More information: https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-589r-g8hf-xx59 and https://github.com/JuliaRegistries/Registrator.jl/security/advisories/GHSA-w8jv-rg3h-fc68

   These have been assigned CVE-2025-52483 and CVE-2025-52480

   Each of these above issues were found by splitline from the DEVCORE Research Team.

4. Lack of validation for user-provide fields in GitHub.jl

   More information: https://github.com/JuliaWeb/GitHub.jl/security/advisories/GHSA-jg9p-c3wh-q83x

   This has been assigned CVE-2025-52569

   This was found by Dilum Aluthge based on similarities with the issues in GitForge.jl

Impact on the JuliaHub platform

The Registrator.jl vulnerability when stacked on the HTTP.jl and GitForge.jl issues had the potential to create RCE in the JuliaHub platform. The hosted platform on JuliaHub.com was patched within a day of the vulnerability report. This advisory is being released after a few days to allow patched releases of all the related open source packages.

The impact to client instances of the JuliaHub platform (Team, Enterprise, and Self-Managed tiers) is much more limited, since Registrator functionality is available only to existing users authenticated by SSO. Updates to these instances are in process, in coordination with the clients.

We have verified from the logs that we can see no attempt being made to exploit this issue, either on JuliaHub.com or on any of the client instances that we host.

Finally, v6.9.2 of the JuliaHub platform has been released with updated dependencies that patch all these vulnerabilities.

Recommendation to customers

• Upgrade all internal Julia codebases to use HTTP.jl v1.10.16 and URIs.jl v1.6.0 immediately.
• Upgrade to JuliaHub platform v6.9.2 when possible.

Summary

A backdoor was identified in the popular XZ data compression library. We do not believe any JuliaHub infrastructure or any Julia users are affected by this issue.

Background

A thread in oss-security mailing list reported that the XZ Utils project was affected by a backdoor: one of the current maintainers of the project appeared to have injected malicious code, included in versions v5.6.0 and v5.6.1 of the xz-utils package, that under certain circumstances could potentially compromise an OpenSSH client and obtain login credentials to remote systems. This issue has been assigned CVE-2024-3094.

Details

The open source Julia ecosystem

The backdoor is added to a binary build of XZ under the following conditions:

1. The target system is x86_64-linux-gnu (Linux kernel, on x86_64 architecture, using glibc as standard C library)
2. the compiler is GCC
3. the build system detects dpkg or rpm are being used

Julia packages use binary builds of native C libraries that are created using our own infrastructure, which are distributed as so-called jll packages. This build system does not meet condition 3 above, and therefore we believe Julia users who have installed XZ using the Julia package manager are not vulnerable to this backdoor. The announcement of the security exploit in the oss-security mailing list includes a script to detect whether a build of liblzma is vulnerable, by checking a certain pattern is present in the hexadecimal dump of the library. We have verified our builds of liblzma.so in XZ_jll v5.6.0 and v5.6.1 do not contain the known pattern. Please talk to your JuliaHub support contact if you want to run this analysis yourself.

In the abundance of caution however, the XZ_jll package versions 5.6.0 and 5.6.1 have been removed from the Julia package registry. They can no longer be installed – users are able to install only versions up to 5.4.6.

The Juliahub Platform

All JuliaHub platform servers and container images are derived from Debian stable. The vulnerable packages were only added to Debian unstable, and therefore did not make it into any of our builds or images.

JuliaHub enterprise customers should talk to their support contacts if they need any assistance in extracting the list of users who have installed XZ versions v5.6.0 and v5.6.1 from the logs. Again, this is only for an abundance of caution, as we do not believe those users are vulnerable.

Acknowledgements

• The original announcement by Andres Freund: https://www.openwall.com/lists/oss-security/2024/03/29/4
• The Julia ecosystem bulletin by Mosè Giordano: https://discourse.julialang.org/t/psa-backdoor-in-xz-utils-and-relevance-for-the-julia-ecosystem/112328