By vendor
Asynchttpclient_project vulnerabilities
Known CVEs affecting Asynchttpclient_project products, prioritized by severity, with SEC.co remediation and detection guidance.
1 published vulnerability
- CVE-2026-45300HIGH 7.4
AsyncHttpClient (AHC), a popular Java library for making HTTP requests, contains a flaw in how it handles redirects to different websites. When your application follows a redirect, the library correctly strips away sensitive authentication headers (like `Authorization` and `Proxy-Authorization`) to prevent leaking credentials to the new destination—but it fails to strip `Cookie` headers. This means session cookies and other sensitive cookie data are inadvertently sent to the redirect target, even if it's a malicious or attacker-controlled server. An attacker could exploit this by tricking a user's browser or application into following a crafted redirect chain, capturing session tokens or other sensitive cookie values. Versions 2.15.0 and 3.0.10 fix this oversight.