7.4
CVE-2026-45300
- EPSS 0.32%
- Veröffentlicht 05.06.2026 19:32:43
- Zuletzt bearbeitet 08.06.2026 18:37:41
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginasync-http-client: Cookie header not stripped on cross-origin redirect
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Asynchttpclient Project ≫ Async-http-client Version >= 2.0.0 < 2.15.0
Asynchttpclient Project ≫ Async-http-client Version >= 3.0.0 < 3.0.10
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.32% | 0.238 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.4 | 2.8 | 4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm
https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e
https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10