CVE-2026-45300
HIGHasync-http-client: Cookie header not stripped on cross-origin redirect
Title source: cnaDescription
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm
X_Refsource_Misc x_refsource_misc
https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e
X_Refsource_Misc x_refsource_misc
https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10
Scores
CVSS v3
7.4
EPSS
0.0027
EPSS Percentile
17.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (5)
AsyncHttpClient/async-http-client
>= 2.0.0, < 2.15.0
AsyncHttpClient/async-http-client
>= 3.0.0.Beta1, < 3.0.10
asynchttpclient_project/async-http-client
2.0.0 - 2.15.0
org.asynchttpclient/async-http-client
2.0.0 - 2.15.0Maven
org.asynchttpclient/async-http-client
3.0.0.Beta1 - 3.0.10Maven
Published
Jun 05, 2026
Tracked Since
Jun 06, 2026