CVE-2026-45300
HIGH EPSS 23.9%
Published Jun 5, 20263w ago · Modified Jun 17, 20261w ago
7.4 CVSS 3.1
Published Jun 5, 2026 3w ago
Last Modified Jun 17, 2026 1w ago
Description
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
23.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| asynchttpclient_project | async-http-client | * | ≥2.0.0 – <2.15.0 |
| asynchttpclient_project | async-http-client | * | ≥3.0.0 – <3.0.10 |
References 3
- github.com https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e
- github.com https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10
- github.com https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm
Remediation
- github.com https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e
- github.com https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm