GHSA-cmxv-58fp-fm3g: Cross-Domain Credential Leakage in AsyncHttpClient
Vulnerability ID: GHSA-CMXV-58FP-FM3G
CVSS Score: 6.8
Published: 2026-04-14
AsyncHttpClient prior to version 3.0.9 is vulnerable to cross-domain credential leakage during HTTP redirects. The library incorrectly forwards Authorization headers and internal Realm objects to untrusted origins, potentially exposing sensitive tokens to unauthorized network actors.
TL;DR
AsyncHttpClient versions before 3.0.9 leak authentication credentials and Realm data when following cross-origin HTTP 3xx redirects, allowing attackers to capture sensitive tokens.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-522
- CVSS: 6.8
- Severity: Moderate
- Attack Vector: Network
- Exploit Status: PoC Available
- Impact: High Confidentiality Loss
Affected Systems
- Java Applications using AsyncHttpClient < 3.0.9 for API integrations
-
AsyncHttpClient: < 3.0.9 (Fixed in:
3.0.9)
Code Analysis
Commit: 6b2fbb7
Fix cross-domain credential leakage and Realm bypass in Redirect30xInterceptor
Exploit Details
- GitHub: RedirectCredentialSecurityTest.java contains functional test cases that act as proof-of-concept for the vulnerability.
Mitigation Strategies
- Upgrade AsyncHttpClient to version 3.0.9 or later
- Disable automatic redirect following via
.setFollowRedirect(false)if immediate upgrade is not feasible
Remediation Steps:
- Identify all projects dependent on
org.asynchttpclient:async-http-clientvia dependency trees. - Update the
pom.xmlorbuild.gradleto specify version3.0.9. - Recompile and run unit tests to verify integration compatibility.
- If blocking the upgrade, enforce
.setFollowRedirect(false)globally in application HTTP client builders.
References
Read the full report for GHSA-CMXV-58FP-FM3G on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)