Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
AC:H reflects the required shared-CookieStore architecture; PR:N because the attacker only controls a responding HTTP server; S:C because injected cookie crosses to a distinct trusted domain; I:L for cookie-level integrity tampering with no confidentiality or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without verifying that the responding host is allowed to set a cookie for that domain, leading to a cookie tossing / cookie injection issue. A host the client connects to can therefore plant a cookie scoped to an unrelated domain, and the client will then send that cookie on later requests to that domain. Applications that use a single AsyncHttpClient instance - and thus the default, shared CookieStore - to reach both an attacker-influenced host and a trusted host are impacted. This issue has been fixed in versions 2.16.0 and 3.0.11.
AnalysisAI
Cookie tossing in AsyncHttpClient (AHC) library allows a malicious HTTP server to plant cookies scoped to an unrelated trusted domain, affecting versions 2.0.0-2.15.x and 3.0.0.Beta1-3.0.10. ThreadSafeCookieStore accepts and stores a cookie's Domain attribute value without verifying that the responding host is authorised to set cookies for that domain, so any server the client contacts can inject a cookie that AHC will automatically forward to the targeted domain on subsequent requests. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses a single AsyncHttpClient instance - and therefore the default shared ThreadSafeCookieStore - to issue HTTP requests to both (1) an attacker-controlled or attacker-influenced server and (2) a trusted server whose domain the attacker wishes to target, with both connections occurring within the same application process lifetime so the injected cookie persists in the shared store. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N, score 4.0) accurately reflects an architecturally constrained but real threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operates a web server that a target Java application calls - for example, as part of a third-party REST API integration or a user-supplied URL fetch. The attacker's server responds to a legitimate request with a Set-Cookie header such as 'session=attacker_value; Domain=internal-auth.example.com', which AHC stores without domain validation. … |
| Remediation | Upgrade async-http-client to version 2.16.0 (for the 2.x stable line) or 3.0.11 (for the 3.x pre-release line), both of which enforce RFC 6265-compliant domain-origin validation in ThreadSafeCookieStore per the vendor advisory at https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-m452-q8c9-rg2f. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrar
A vulnerability, which was classified as critical, was found in spider-flow 0.4.3. Rated medium severity (CVSS 6.3), thi
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CV
Remote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t
Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet all
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a r
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41134