GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client
Vulnerability ID: GHSA-Q6GH-6V2R-HJV3
CVSS Score: 8.8
Published: 2026-07-09
An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.
TL;DR
The Micronaut HTTP client fails to strip sensitive headers like Authorization and Cookie during cross-origin redirects, allowing attackers to hijack sessions via open redirects or malicious endpoints.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-200 / CWE-522
- Attack Vector: Network (Cross-Origin Redirects)
- CVSS Severity Score: 8.8
- EPSS Score: N/A
- Exploit Status: PoC available in test suites
- CISA KEV Status: Not Listed
Affected Systems
- Micronaut Framework HTTP Client
- io.micronaut:micronaut-http-client
- io.micronaut:micronaut-http-client-core
-
micronaut-http-client: < 3.10.4 (Fixed in:
3.10.4) -
micronaut-http-client-core: < 3.10.4 (Fixed in:
3.10.4) -
micronaut-http-client: >= 4.0.0, < 4.0.1 (Fixed in:
4.0.1)
Code Analysis
Commit: 64e5397
Strip cross-origin headers during redirects in Micronaut Core 3.x
Commit: 70cab4b
Fix credential leaks across domains in Micronaut Core 4.x
Commit: 9770328
Refactor redirect header filter mechanisms in Netty-based client
Mitigation Strategies
- Upgrade Micronaut Core framework to a patched release
- Disable automatic HTTP redirect following in application configurations
- Explicitly configure custom security headers to be filtered during redirects
Remediation Steps:
- Identify all service dependencies relying on io.micronaut:micronaut-http-client or io.micronaut:micronaut-http-client-core
- Update build configuration files (pom.xml or build.gradle) to reference the patched versions of Micronaut
- Review application configurations (application.yml or application.properties) and ensure custom API token headers are added to the cross-origin filter list
References
Read the full report for GHSA-Q6GH-6V2R-HJV3 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)