Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 5 maven packages depend on org.asynchttpclient:async-http-client (1 direct, 4 indirect)
Ecosystem-wide dependent count for version 3.0.0.Beta1.
DescriptionGitHub Advisory
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set (stripAuthorizationOnRedirect(true)) in the client config and avoid using Realm-based authentication with redirect following enabled. Note that (stripAuthorizationOnRedirect(true)) alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (followRedirect(false)) and handle redirects manually with origin validation.
AnalysisAI
AsyncHttpClient (AHC) library prior to versions 3.0.9 and 2.14.5 leaks Authorization, Proxy-Authorization headers, and plaintext Realm credentials to arbitrary redirect targets when followRedirect(true) is enabled, affecting all Java applications using vulnerable versions. This occurs across domain, scheme, and port changes including HTTPS-to-HTTP downgrades. An attacker controlling a redirect destination via open redirect, DNS rebinding, or MITM can capture Bearer tokens, Basic auth credentials, or any Authorization header value. No public exploit code or active exploitation has been confirmed at analysis time, though the vulnerability is exploitable with high-confidence conditions when redirect following is enabled (CVSS 6.8, network vector, no authentication required).
Technical ContextAI
AsyncHttpClient is a popular asynchronous HTTP client library for Java that handles HTTP requests, responses, and redirects. The vulnerability stems from improper handling of HTTP redirects (3xx status codes) in the redirect-following mechanism. When a redirect occurs, the library's NettyRequestFactory and redirect processing logic fail to validate whether the redirect target is in the same origin (same scheme, host, and port). The CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) root cause reflects the uncontrolled propagation of sensitive HTTP headers and authentication objects across origin boundaries. The Realm object in AsyncHttpClient is an authentication credential container used for Basic and Digest authentication schemes; even when stripAuthorizationOnRedirect(true) is configured, the Realm object is still passed to redirect requests, allowing NettyRequestFactory to re-generate Authorization headers using cached credentials. This affects all applications using AsyncHttpClient versions prior to 2.14.5 (2.x series) or 3.0.9 (3.x series) with followRedirect(true) enabled, as identified in GitHub commits and security advisories.
RemediationAI
Primary remediation is to upgrade AsyncHttpClient to version 2.14.5 or later for 2.x users, or version 3.0.9 or later for 3.x users. These patched versions automatically strip Authorization and Proxy-Authorization headers and clear Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to immediately upgrade, set stripAuthorizationOnRedirect(true) in the client configuration and avoid using Realm-based authentication (Basic/Digest) with redirect following enabled, understanding that this workaround is incomplete on pre-3.0.9/2.14.5 versions because Realm objects are still propagated. The most robust interim mitigation is to disable redirect following (followRedirect(false)) and implement manual redirect handling with explicit origin validation before following any redirect, ensuring that only same-origin redirects are honored. This manual approach requires code changes but provides complete protection without patching. Users should audit their AsyncHttpClient configurations to identify where followRedirect(true) is used, particularly in applications handling sensitive credentials (API keys, Bearer tokens, Basic auth), and prioritize patching those deployments first. The GitHub security advisory at https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g provides additional implementation guidance.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23638
GHSA-cmxv-58fp-fm3g