Vulnerable Library - async-http-client-2.12.4.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.asynchttpclient/async-http-client/2.12.4/c7ac461afff5c792af9557b11b334e139fc4f426/async-http-client-2.12.4.jar
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-40490
Vulnerable Library - async-http-client-2.12.4.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.asynchttpclient/async-http-client/2.12.4/c7ac461afff5c792af9557b11b334e139fc4f426/async-http-client-2.12.4.jar
Dependency Hierarchy:
- ❌ async-http-client-2.12.4.jar (Vulnerable Library)
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
com.opentok.util.HttpClient (Application)
-> org.asynchttpclient.DefaultAsyncHttpClient (Extension)
-> ❌ org.asynchttpclient.netty.request.NettyRequestSender (Vulnerable Component)
Vulnerability Details
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set "(stripAuthorizationOnRedirect(true))" in the client config and avoid using Realm-based authentication with redirect following enabled. Note that "(stripAuthorizationOnRedirect(true))" alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following ("followRedirect(false)") and handle redirects manually with origin validation.
Publish Date: 2026-04-18
URL: CVE-2026-40490
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.065%
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution: 2.14.5
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-58057
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
- async-http-client-2.12.4.jar (Root Library)
- netty-codec-socks-4.1.60.Final.jar
- ❌ netty-codec-4.1.119.Final.jar (Vulnerable Library)
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
com.opentok.util.HttpClient (Application)
-> org.asynchttpclient.DefaultAsyncHttpClient (Extension)
-> org.asynchttpclient.netty.channel.ChannelManager (Extension)
-> io.netty.handler.codec.http.websocketx.WebSocketFrameAggregator (Extension)
-> io.netty.handler.codec.MessageAggregator (Extension)
-> ❌ io.netty.handler.codec.MessageAggregationException (Vulnerable Component)
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.068%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (org.asynchttpclient:async-http-client): 2.15.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42583
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
- async-http-client-2.12.4.jar (Root Library)
- netty-codec-socks-4.1.60.Final.jar
- ❌ netty-codec-4.1.119.Final.jar (Vulnerable Library)
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.04%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (org.asynchttpclient:async-http-client): 3.0.3
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-45300
Vulnerable Library - async-http-client-2.12.4.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.asynchttpclient/async-http-client/2.12.4/c7ac461afff5c792af9557b11b334e139fc4f426/async-http-client-2.12.4.jar
Dependency Hierarchy:
- ❌ async-http-client-2.12.4.jar (Vulnerable Library)
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Vulnerability Details
Summary async-http-client leaks "Cookie" headers to cross-origin redirect targets. When following a redirect across a security boundary (different origin, or HTTPS→HTTP downgrade), the "propagatedHeaders()" method in "Redirect30xInterceptor.java" strips "Authorization" and "Proxy-Authorization" headers but does not strip "Cookie", so session cookies and other sensitive cookie values are forwarded to the redirect target — which may be attacker-controlled. Details The vulnerability is in "client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java". The caller computes "stripAuth" on each redirect: boolean sameBase = request.getUri().isSameBase(newUri); boolean stripAuth = !sameBase || schemeDowngrade || stripAuthorizationOnRedirect; // ... requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody, stripAuth)); "stripAuth" is "true" whenever the redirect crosses an origin, downgrades the scheme, or the caller opted in via "AsyncHttpClientConfig#isStripAuthorizationOnRedirect()". In the vulnerable version, "propagatedHeaders()" only removes "Authorization" and "Proxy-Authorization" in that branch — "Cookie" is left untouched: private static HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keepBody, boolean stripAuthorization) { HttpHeaders headers = request.getHeaders() .remove(HOST) .remove(CONTENT_LENGTH); if (!keepBody) { headers.remove(CONTENT_TYPE); } if (stripAuthorization || (realm != null && (realm.getScheme() == AuthScheme.NTLM || realm.getScheme() == AuthScheme.SCRAM_SHA_256))) { headers.remove(AUTHORIZATION) .remove(PROXY_AUTHORIZATION); // BUG: COOKIE is not removed here, so cookies leak across the security boundary. } return headers; } The companion test class "RedirectCredentialSecurityTest" covers "Authorization" / "Proxy-Authorization" stripping on cross-origin redirects and scheme downgrades, but has no coverage for "Cookie", which is why the regression went unnoticed. Proof of concept import org.asynchttpclient.*; AsyncHttpClient client = asyncHttpClient(); // trusted-api.com responds 302 -> https://evil.com Request request = new RequestBuilder("GET") .setUrl("https://trusted-api.com/endpoint") .setHeader("Cookie", "session=abc123; csrf=xyz789; api_key=secret") .setHeader("Authorization", "Bearer token123") .build(); client.executeRequest(request).get(); // Request seen by evil.com after the redirect: // Authorization: // Cookie: session=abc123; csrf=xyz789; api_key=secret <-- leaked Impact - Session hijacking — leaked session cookies allow impersonation. - CSRF token theft — CSRF tokens carried in cookies are disclosed. - API key theft — API keys stored in cookies are disclosed. - Privacy — tracking identifiers leak to third-party origins. Realistic attack paths: - Open-redirect in a trusted API endpoint. - Compromised CDN or API gateway injecting redirects. - MITM on a plaintext hop in the redirect chain. Fix Add "COOKIE" to the headers removed alongside "AUTHORIZATION" / "PROXY_AUTHORIZATION" on the security-boundary branch: if (stripAuthorization) { headers.remove(AUTHORIZATION) .remove(PROXY_AUTHORIZATION) .remove(COOKIE); } else if (realm != null && (realm.getScheme() == AuthScheme.NTLM || realm.getScheme() == AuthScheme.SCRAM_SHA_256)) { headers.remove(AUTHORIZATION) .remove(PROXY_AUTHORIZATION); } Note that the URI-scoped "CookieStore" will re-add any cookies that legitimately match the new target after "propagatedHeaders" returns, so legitimate cross-origin sessions tracked by the client are not broken. Fixed in 3.0.10 and 2.15.0 by commit ""3b0e3e9e"" (AsyncHttpClient/async-http-client@3b0e3e9e).
Publish Date: 2026-05-19
URL: CVE-2026-45300
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-19
Fix Resolution: https://github.com/AsyncHttpClient/async-http-client.git - async-http-client-project-2.15.0,https://github.com/AsyncHttpClient/async-http-client.git - async-http-client-project-3.0.10
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-42578
Vulnerable Library - netty-handler-proxy-4.1.60.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler-proxy/4.1.60.Final/2352f12826400e5db64b36fd951508ce9a61c196/netty-handler-proxy-4.1.60.Final.jar
Dependency Hierarchy:
- async-http-client-2.12.4.jar (Root Library)
- ❌ netty-handler-proxy-4.1.60.Final.jar (Vulnerable Library)
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42578
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.047%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.13.Final,https://github.com/netty/netty.git - netty-4.1.133.Final
⛑️Automatic Remediation will be attempted for this issue.
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.asynchttpclient/async-http-client/2.12.4/c7ac461afff5c792af9557b11b334e139fc4f426/async-http-client-2.12.4.jar
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - async-http-client-2.12.4.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.asynchttpclient/async-http-client/2.12.4/c7ac461afff5c792af9557b11b334e139fc4f426/async-http-client-2.12.4.jar
Dependency Hierarchy:
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set "(stripAuthorizationOnRedirect(true))" in the client config and avoid using Realm-based authentication with redirect following enabled. Note that "(stripAuthorizationOnRedirect(true))" alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following ("followRedirect(false)") and handle redirects manually with origin validation.
Publish Date: 2026-04-18
URL: CVE-2026-40490
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.065%
CVSS 3 Score Details (6.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-18
Fix Resolution: 2.14.5
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-03
URL: CVE-2025-58057
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.068%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-09-03
Fix Resolution (io.netty:netty-codec): 4.1.125.Final
Direct dependency fix Resolution (org.asynchttpclient:async-http-client): 2.15.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-codec-4.1.119.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.119.Final/337ca8e8c3ef23925e02d56347b414d7616d1d02/netty-codec-4.1.119.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42583
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.04%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution (io.netty:netty-codec): 4.1.133.Final
Direct dependency fix Resolution (org.asynchttpclient:async-http-client): 3.0.3
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - async-http-client-2.12.4.jar
The Async Http Client (AHC) classes.
Library home page: http://github.com/AsyncHttpClient/async-http-client
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.asynchttpclient/async-http-client/2.12.4/c7ac461afff5c792af9557b11b334e139fc4f426/async-http-client-2.12.4.jar
Dependency Hierarchy:
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Vulnerability Details
Summary async-http-client leaks "Cookie" headers to cross-origin redirect targets. When following a redirect across a security boundary (different origin, or HTTPS→HTTP downgrade), the "propagatedHeaders()" method in "Redirect30xInterceptor.java" strips "Authorization" and "Proxy-Authorization" headers but does not strip "Cookie", so session cookies and other sensitive cookie values are forwarded to the redirect target — which may be attacker-controlled. Details The vulnerability is in "client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java". The caller computes "stripAuth" on each redirect: boolean sameBase = request.getUri().isSameBase(newUri); boolean stripAuth = !sameBase || schemeDowngrade || stripAuthorizationOnRedirect; // ... requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody, stripAuth)); "stripAuth" is "true" whenever the redirect crosses an origin, downgrades the scheme, or the caller opted in via "AsyncHttpClientConfig#isStripAuthorizationOnRedirect()". In the vulnerable version, "propagatedHeaders()" only removes "Authorization" and "Proxy-Authorization" in that branch — "Cookie" is left untouched: private static HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keepBody, boolean stripAuthorization) { HttpHeaders headers = request.getHeaders() .remove(HOST) .remove(CONTENT_LENGTH); if (!keepBody) { headers.remove(CONTENT_TYPE); } if (stripAuthorization || (realm != null && (realm.getScheme() == AuthScheme.NTLM || realm.getScheme() == AuthScheme.SCRAM_SHA_256))) { headers.remove(AUTHORIZATION) .remove(PROXY_AUTHORIZATION); // BUG: COOKIE is not removed here, so cookies leak across the security boundary. } return headers; } The companion test class "RedirectCredentialSecurityTest" covers "Authorization" / "Proxy-Authorization" stripping on cross-origin redirects and scheme downgrades, but has no coverage for "Cookie", which is why the regression went unnoticed. Proof of concept import org.asynchttpclient.*; AsyncHttpClient client = asyncHttpClient(); // trusted-api.com responds 302 -> https://evil.com Request request = new RequestBuilder("GET") .setUrl("https://trusted-api.com/endpoint") .setHeader("Cookie", "session=abc123; csrf=xyz789; api_key=secret") .setHeader("Authorization", "Bearer token123") .build(); client.executeRequest(request).get(); // Request seen by evil.com after the redirect: // Authorization: // Cookie: session=abc123; csrf=xyz789; api_key=secret <-- leaked Impact - Session hijacking — leaked session cookies allow impersonation. - CSRF token theft — CSRF tokens carried in cookies are disclosed. - API key theft — API keys stored in cookies are disclosed. - Privacy — tracking identifiers leak to third-party origins. Realistic attack paths: - Open-redirect in a trusted API endpoint. - Compromised CDN or API gateway injecting redirects. - MITM on a plaintext hop in the redirect chain. Fix Add "COOKIE" to the headers removed alongside "AUTHORIZATION" / "PROXY_AUTHORIZATION" on the security-boundary branch: if (stripAuthorization) { headers.remove(AUTHORIZATION) .remove(PROXY_AUTHORIZATION) .remove(COOKIE); } else if (realm != null && (realm.getScheme() == AuthScheme.NTLM || realm.getScheme() == AuthScheme.SCRAM_SHA_256)) { headers.remove(AUTHORIZATION) .remove(PROXY_AUTHORIZATION); } Note that the URI-scoped "CookieStore" will re-add any cookies that legitimately match the new target after "propagatedHeaders" returns, so legitimate cross-origin sessions tracked by the client are not broken. Fixed in 3.0.10 and 2.15.0 by commit ""3b0e3e9e"" (AsyncHttpClient/async-http-client@3b0e3e9e).
Publish Date: 2026-05-19
URL: CVE-2026-45300
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-19
Fix Resolution: https://github.com/AsyncHttpClient/async-http-client.git - async-http-client-project-2.15.0,https://github.com/AsyncHttpClient/async-http-client.git - async-http-client-project-3.0.10
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - netty-handler-proxy-4.1.60.Final.jar
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler-proxy/4.1.60.Final/2352f12826400e5db64b36fd951508ce9a61c196/netty-handler-proxy-4.1.60.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 431499094d23a84b9187ef24b569995ee58d0c42
Found in base branch: main
Vulnerability Details
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
Publish Date: 2026-05-13
URL: CVE-2026-42578
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.047%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-08
Fix Resolution: https://github.com/netty/netty.git - netty-4.2.13.Final,https://github.com/netty/netty.git - netty-4.1.133.Final
⛑️Automatic Remediation will be attempted for this issue.