CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-CMXV-58FP-FM3G

GHSA-cmxv-58fp-fm3g: Cross-Domain Credential Leakage in AsyncHttpClient

Amit Schendel
Amit Schendel
Senior Security Researcher

Apr 14, 2026·5 min read·31 visits

Executive Summary (TL;DR)

AsyncHttpClient versions before 3.0.9 leak authentication credentials and Realm data when following cross-origin HTTP 3xx redirects, allowing attackers to capture sensitive tokens.

AsyncHttpClient prior to version 3.0.9 is vulnerable to cross-domain credential leakage during HTTP redirects. The library incorrectly forwards Authorization headers and internal Realm objects to untrusted origins, potentially exposing sensitive tokens to unauthorized network actors.

Vulnerability Overview

AsyncHttpClient is a Java library that facilitates asynchronous HTTP request execution and response handling. Applications frequently use this library to interact with external APIs, often passing sensitive authentication tokens such as Bearer tokens or Basic authentication credentials.

In versions prior to 3.0.9, the library exhibits an information exposure vulnerability during HTTP 3xx redirect handling. The vulnerability allows sensitive credentials to be leaked to cross-domain destinations when following a redirect from a trusted origin.

This issue represents a violation of standard HTTP security semantics regarding credential propagation. The defect exposes application secrets to unintended recipients, leading to unauthorized access and potential downstream system compromise.

Root Cause Analysis

The vulnerability originates in the Redirect30xInterceptor component of the AsyncHttpClient library. When processing an HTTP 3xx redirection response, the library prepares a new request targeting the URL provided in the Location header.

Prior to the fix, the interceptor lacked adequate security boundary validation. It blindly copied existing request headers, including Authorization and Proxy-Authorization, into the new request state without verifying if the new target origin matched the original origin.

Furthermore, the library contained a secondary vulnerability referred to as a "Realm bypass". Even if developers explicitly enabled the stripAuthorizationOnRedirect(true) configuration flag, the library failed to clear its internal Realm object.

The NettyRequestFactory component subsequently utilized this stale Realm object to reconstruct valid authentication headers. Consequently, the explicit header stripping mechanism was rendered ineffective against credential leakage.

Code Analysis

The remediation for this vulnerability was introduced in commit 6b2fbb7f88f322f1a90345d77d8a1ffe36dfa5f4. The patch focuses on strict origin validation and comprehensive credential object nullification.

The fix introduces a same-origin check utilizing the request.getUri().isSameBase(newUri) method. This function validates that the scheme, host, and port of the redirect destination match those of the original request.

Additionally, the patch implements a security downgrade check to prevent credential transmission when a redirect forces an HTTPS connection to downgrade to plaintext HTTP.

The core logic update establishes a composite boolean flag stripAuth to dictate header retention. If the redirect is cross-origin, downgrades the connection security, or matches the explicit strip configuration, the library completely purges the authentication state.

// Logic introduced in the patch
boolean sameBase = request.getUri().isSameBase(newUri);
boolean schemeDowngrade = request.getUri().isSecured() && !newUri.isSecured();
boolean stripAuth = !sameBase || schemeDowngrade || stripAuthorizationOnRedirect;
 
if (stripAuth) {
    requestBuilder.setRealm(null); // Fixes the Realm bypass
    future.setRealm(null);
    future.setProxyRealm(null);
}

This comprehensive state clearance ensures that the NettyRequestFactory cannot reconstruct the Authorization headers, effectively resolving the Realm bypass mechanism.

Exploitation

Exploitation of this vulnerability requires the attacker to manipulate the redirect target of an authenticated request initiated by the victim application. This is typically achieved via three primary attack vectors.

The most direct vector utilizes an open redirect vulnerability on the original trusted domain. The application attempts to authenticate to the trusted domain, which responds with a 3xx redirect pointing to an attacker-controlled server.

Alternatively, an attacker can employ DNS rebinding techniques. After the initial request resolves to a trusted IP address, the attacker updates the DNS record to point to an adversarial IP address before a subsequent redirect occurs.

A Man-in-the-Middle (MITM) attacker can also exploit this issue if the initial connection utilizes unencrypted HTTP or is successfully downgraded. The attacker intercepts the request and injects a malicious 3xx response, capturing the credentials when the client follows the redirect.

> [!NOTE] > The official test suite RedirectCredentialSecurityTest.java acts as a functional proof-of-concept, verifying the behavior of both same-origin credential retention and cross-origin stripping.

Impact Assessment

The primary impact of this vulnerability is the exposure of sensitive authentication material to unauthorized third parties. This constitutes a severe breach of confidentiality.

When the leaked tokens are Bearer tokens or Session IDs, an attacker can impersonate the vulnerable application. This allows the adversary to access protected APIs, manipulate data, or pivot further into connected infrastructure.

The severity is classified as Moderate (CVSS 6.8) primarily because the attack complexity is High (AC:H). The attacker must possess the ability to control a redirect on the target domain, perform a MITM attack, or execute a DNS rebinding sequence.

Despite the elevated attack complexity, the confidentiality impact remains High (C:H). Applications utilizing AsyncHttpClient for automated API integrations are particularly susceptible to widespread token compromise if interacting with untrusted or poorly secured endpoints.

Remediation

The definitive remediation strategy is upgrading the AsyncHttpClient dependency to version 3.0.9 or later. This version contains the comprehensive origin validation and Realm bypass fix.

For environments unable to immediately upgrade, developers can implement a functional workaround by completely disabling automatic redirect following. Setting .setFollowRedirect(false) in the client configuration forces the application to handle 3xx responses manually.

When utilizing this workaround, development teams must implement custom origin validation logic before manually issuing subsequent requests. This ensures the application replicates the security boundaries introduced in the patched library version.

It is critical to note that relying solely on .setStripAuthorizationOnRedirect(true) in unpatched versions is insufficient. The Realm bypass flaw ensures that credentials generated via internal Realm objects will still be transmitted to cross-domain targets.

Official Patches

GitHub Advisory DatabaseOfficial Security Advisory
AsyncHttpClientFix Commit

Fix Analysis (1)

Technical Appendix

CVSS Score
6.8/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Systems

Java Applications using AsyncHttpClient < 3.0.9 for API integrations

Affected Versions Detail

Product
Affected Versions
Fixed Version
AsyncHttpClient
AsyncHttpClient
< 3.0.93.0.9
AttributeDetail
CWECWE-522
CVSS6.8
SeverityModerate
Attack VectorNetwork
Exploit StatusPoC Available
ImpactHigh Confidentiality Loss

MITRE ATT&CK Mapping

T1552Unsecured Credentials
Credential Access
T1558Steal or Forge Kerberos Tickets
Credential Access
CWE-522
Insufficiently Protected Credentials

Insufficiently Protected Credentials

Known Exploits & Detection

GitHubRedirectCredentialSecurityTest.java contains functional test cases that act as proof-of-concept for the vulnerability.

Vulnerability Timeline

Fix commit authored by library maintainers.
2026-04-12
Advisory GHSA-cmxv-58fp-fm3g published to GitHub.
2026-04-14
Fixed version 3.0.9 officially released.
2026-04-14

References & Sources

  • [1]GitHub Advisory: GHSA-cmxv-58fp-fm3g
  • [2]AsyncHttpClient Patch Commit
  • [3]OSV Vulnerability Record

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 4 hours ago•GHSA-7XW9-549R-8JRC
8.5

GHSA-7XW9-549R-8JRC: SQL Injection and Improper Access Control in DIRAC PilotManager

The DIRAC PilotManager component contains combined security weaknesses: a SQL injection vulnerability (CWE-89) in the PilotAgentsDB database interaction layer, and an improper access control configuration (CWE-284) within the default authorization structure. A low-privilege authenticated attacker can bypass intended authorization checks to run administrative commands, manipulate grid job tracking records, and execute arbitrary SQL statements against the backend database.

Alon Barad
Alon Barad
6 views•5 min read
•about 6 hours ago•CVE-2024-27091
6.1

CVE-2024-27091: Stored Cross-Site Scripting (XSS) to Account Takeover in GeoNode

A comprehensive security analysis of CVE-2024-27091, a stored cross-site scripting (XSS) vulnerability in the GeoNode geospatial content management system. Unsanitized metadata fields rendered with Django's safe template filter permit stored JavaScript execution, leading directly to admin account takeover via CSRF token theft and silent profile email modification.

Amit Schendel
Amit Schendel
5 views•6 min read
•3 days ago•CVE-2026-54068
5.9

CVE-2026-54068: Unauthenticated Server-Side Template Injection and SQLite Exfiltration in SiYuan PKM

An authentication bypass in the SiYuan personal knowledge management system before version 3.7.0 exposes a dynamic icon rendering endpoint. This endpoint processes client-supplied Go template directives. By submitting a crafted request, an unauthenticated remote attacker can leverage registered database template functions to execute arbitrary read-only SQL queries and exfiltrate workspace contents.

Amit Schendel
Amit Schendel
14 views•5 min read
•3 days ago•CVE-2026-54069
9.1

CVE-2026-54069: Authentication Bypass in SiYuan Note via Origin Header Spoofing

CVE-2026-54069 is a critical authentication bypass vulnerability in the SiYuan Note personal knowledge management system. The flaw is located in the HTTP server's middleware handling API authorization, which unconditionally trusts requests carrying a 'chrome-extension://' scheme in the Origin HTTP header, granting administrative access without validating API tokens.

Alon Barad
Alon Barad
14 views•5 min read
•3 days ago•CVE-2026-54089
9.1

CVE-2026-54089: Authentication Bypass by Spoofing in File Browser

CVE-2026-54089 is a critical authentication bypass vulnerability in File Browser affecting instances configured with proxy-based authentication. An unauthenticated remote attacker with direct network access can impersonate arbitrary users or register new accounts by spoofing configured HTTP headers.

Amit Schendel
Amit Schendel
16 views•7 min read
•3 days ago•GHSA-99J7-FHR2-XFJ4
10.0

GHSA-99J7-FHR2-XFJ4: Malicious Remote Code Execution Payload in 'exploration' Cargo Crate

The malicious Cargo package 'exploration' was uploaded to the crates.io registry. During compilation or package import, the crate executes code designed to establish an outbound TCP/HTTP connection, download an external second-stage binary, and execute the binary locally on the host machine. This creates an unauthenticated remote code execution vector impacting developer environments and continuous integration pipelines.

Amit Schendel
Amit Schendel
15 views•6 min read