CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-Q6GH-6V2R-HJV3

GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 9, 2026·6 min read·2 visits

Executive Summary (TL;DR)

The Micronaut HTTP client fails to strip sensitive headers like Authorization and Cookie during cross-origin redirects, allowing attackers to hijack sessions via open redirects or malicious endpoints.

An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.

Vulnerability Overview

The vulnerability affects the core HTTP client libraries of the Micronaut Framework, specifically io.micronaut:micronaut-http-client and io.micronaut:micronaut-http-client-core. These libraries provide Netty-based HTTP client implementations used widely in Micronaut microservices to execute outbound HTTP calls.

When configuring an application to use the default HTTP client, the framework automatically handles HTTP redirect status codes (such as 301, 302, 307, and 308). The client is designed to preserve request state and copy headers from the initial request onto the subsequent redirected request.

However, the client did not differentiate between same-origin and cross-origin redirect destinations. This behavior allowed sensitive session credentials, including HTTP Authorization tokens, Proxy-Authorization headers, and local session cookies, to be forwarded to untrusted, external third-party servers.

Root Cause Analysis

The root cause of this vulnerability lies in the implementation of the setRedirectHeaders method in the Netty-based HTTP client components (DefaultHttpClient and NettyHttpClient). Historically, the client utilized a static, hardcoded blocklist named REDIRECT_HEADER_BLOCKLIST to filter headers before dispatching a redirected request.

This static blocklist was defined as follows:

private static final HttpHeaders REDIRECT_HEADER_BLOCKLIST;
 
static {
    REDIRECT_HEADER_BLOCKLIST = new DefaultHttpHeaders();
    REDIRECT_HEADER_BLOCKLIST.add(HttpHeaderNames.HOST, "");
    REDIRECT_HEADER_BLOCKLIST.add(HttpHeaderNames.CONTENT_TYPE, "");
    REDIRECT_HEADER_BLOCKLIST.add(HttpHeaderNames.CONTENT_LENGTH, "");
    REDIRECT_HEADER_BLOCKLIST.add(HttpHeaderNames.TRANSFER_ENCODING, "");
    REDIRECT_HEADER_BLOCKLIST.add(HttpHeaderNames.CONNECTION, "");
}

The blocklist only targeted transport-level headers and body-related properties. When preparing the redirect request, the code copied all other original headers without verifying if the target destination host matched the origin of the initial request.

Because the client lacked origin-awareness during redirect processing, any application transmitting bearer tokens or session cookies to a trusted service would unknowingly send those exact same headers to an external server if the trusted service responded with a cross-origin redirect instruction.

Code Analysis and Patch Walkthrough

To address this flaw, the Micronaut maintainers refactored the HTTP client configuration to categorize and separate filtered headers based on the context of the redirect.

Specifically, the fix introduced class fields to track three separate groups of headers:

  1. redirectAlwaysFilteredHeaders: Headers that are stripped regardless of redirect context (e.g., Host, Connection).
  2. redirectAdditionalNonPreserveBodyFilteredHeaders: Headers stripped specifically when the HTTP redirect method does not preserve the request body (e.g., Content-Length, Content-Type).
  3. redirectCrossOriginFilteredHeaders: High-sensitivity headers that must be stripped exclusively on cross-origin redirects (e.g., Authorization, Proxy-Authorization, Cookie).

The following code comparison details the implementation changes:

// Vulnerable Implementation
private void setRedirectHeaders(@Nullable io.micronaut.http.HttpRequest<?> request, 
                                MutableHttpRequest<Object> redirectRequest) {
    if (request != null) {
        for (Map.Entry<String, List<String>> originalHeader : request.getHeaders()) {
            if (!REDIRECT_HEADER_BLOCKLIST.contains(originalHeader.getKey())) {
                final List<String> originalHeaderValue = originalHeader.getValue();
                if (originalHeaderValue != null && !originalHeaderValue.isEmpty()) {
                    for (String value : originalHeaderValue) {
                        if (value != null) {
                            redirectRequest.header(originalHeader.getKey(), value);
                        } 
                    }
                } 
            }
        }
    }
}
// Patched Implementation
private void setRedirectHeaders(@Nullable io.micronaut.http.HttpRequest<?> request,
                                MutableHttpRequest<Object> redirectRequest,
                                boolean preserveBody) {
    if (request == null) {
        return;
    }
    boolean sameOrigin;
    try {
        // Determine if the redirect destination is the same origin
        sameOrigin = new RequestKey(this, request.getUri())
            .equals(new RequestKey(this, redirectRequest.getUri()));
    } catch (Exception e) {
        sameOrigin = false;
    }
    
    // Resolve blocklist based on destination origin alignment
    DefaultHttpHeaders headersToBlock = resolveRedirectFilteredHeaders(!sameOrigin, preserveBody);
    for (Map.Entry<String, List<String>> originalHeader : request.getHeaders()) {
        String headerName = originalHeader.getKey();
        if (headersToBlock.contains(headerName)) {
            continue;
        }
        // Copy non-filtered headers securely...
    }
}

The logic relies on RequestKey equality to perform the origin check. If the origins do not match, !sameOrigin evaluates to true, forcing the retrieval and addition of the redirectCrossOriginFilteredHeaders to the active blocklist, which effectively prevents the leakage of sensitive credential headers.

Exploitation Methodology

An attacker can exploit this vulnerability through several vectors. The most direct approach is leveraging an open redirect vulnerability on a trusted target API, or compromising a trusted host to redirect traffic to an attacker-controlled endpoint.

Step-by-Step Exploitation Workflow:

  1. The Micronaut client initiates an authenticated HTTP request containing an OAuth bearer token in the Authorization header to https://trusted-service.com/api.

  2. The server at trusted-service.com yields a 302 Found response containing a Location header that points to https://attacker-controlled-site.com/log.

  3. The vulnerable HTTP client receives the 302 response. Because it does not recognize https://attacker-controlled-site.com as cross-origin, it creates a new request and retains the original Authorization header containing the bearer token.

  4. The client dispatches the request to the attacker's server, which logs all incoming HTTP request headers and captures the active token.

Impact Assessment

The impact of this vulnerability is rated as High severity. The leakage of sensitive transport credentials allows remote attackers to perform full session hijacking, account takeover, or unauthorized downstream operations.

Because many corporate enterprise architectures utilize centralized identity providers, OAuth 2.0 bearer tokens, or JWTs, a single compromised token can grant access to a wide array of connected backend services. If the vulnerable client is configured to communicate with internal microservices, the leaked credentials can enable lateral movement across internal network boundaries.

Furthermore, if the application runs within a cloud infrastructure and queries metadata services using custom tokens, a cross-origin redirect triggered by external input can lead to cloud-level privilege escalation.

Patch Completeness and Residual Risks

While the official patches systematically block default authentication headers (Authorization, Proxy-Authorization, and Cookie), security teams must evaluate and manage residual risks related to custom authorization schemes.

Many API architectures use non-standard, custom HTTP headers to pass API keys or JWT tokens (e.g., X-Api-Key, X-Auth-Token, or X-Access-Token). The default patched implementation does not include these custom headers in the default redirectCrossOriginFilteredHeaders blocklist.

Consequently, applications using custom security headers remain vulnerable to credential leakage during cross-origin redirects unless developers explicitly configure the client to filter those specific custom header keys.

Remediation and Mitigation Guidance

The definitive remediation is to upgrade the Micronaut framework dependencies to the patched versions.

Required Upgrades

  • For Micronaut Core 3.x: Ensure the framework is upgraded to a version containing the fix in commit 64e539736b8168f201d868b02ace50fe14f57418.
  • For Micronaut Core 4.x: Ensure the framework is upgraded to a version containing the fixes in commits 70cab4b44fbf985faba2846091f2356b5bd70719 and 9770328999f490bdfbb9e25addd45bf73d4a173a.

Temporary Workarounds and Configurations

If immediate dependency upgrades are not feasible, apply the following configurations to mitigate the risk:

  1. Disable automatic redirect following on the HTTP client if the business logic does not strictly require it:
micronaut:
  http:
    client:
      follow-redirects: false
  1. Explicitly define custom security headers to be filtered during cross-origin redirects in the application configuration file:
micronaut:
  http:
    client:
      redirect-cross-origin-filtered-headers:
        - "Authorization"
        - "Proxy-Authorization"
        - "Cookie"
        - "X-Api-Key"
        - "X-Auth-Token"

Official Patches

Micronaut Core GitHub RepositoryOfficial patch for Micronaut Core 3.x
Micronaut Core GitHub RepositoryOfficial initial patch for Micronaut Core 4.x
Micronaut Core GitHub RepositoryOfficial secondary patch for Micronaut Core 4.x

Fix Analysis (3)

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected Systems

Micronaut Framework HTTP Clientio.micronaut:micronaut-http-clientio.micronaut:micronaut-http-client-core

Affected Versions Detail

Product
Affected Versions
Fixed Version
micronaut-http-client
Micronaut
< 3.10.43.10.4
micronaut-http-client-core
Micronaut
< 3.10.43.10.4
micronaut-http-client
Micronaut
>= 4.0.0, < 4.0.14.0.1
AttributeDetail
CWE IDCWE-200 / CWE-522
Attack VectorNetwork (Cross-Origin Redirects)
CVSS Severity Score8.8
EPSS ScoreN/A
Exploit StatusPoC available in test suites
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1557Adversary-in-the-Middle
Credential Access
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Vulnerability Timeline

Vulnerability analyzed and source code fixes committed to 3.x and 4.x core repositories
2023-07-20
Secondary refinement commit made to the 4.x branch
2023-07-21
Patched versions of Micronaut framework published to Maven Central
2023-07-25

References & Sources

  • [1]Micronaut Core 3.x Commit Fix
  • [2]Micronaut Core 4.x Commit Fix (1)
  • [3]Micronaut Core 4.x Commit Fix (2)

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•19 minutes ago•GHSA-387M-935M-C4VW
7.5

GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.

Amit Schendel
Amit Schendel
1 views•6 min read
•about 1 hour ago•GHSA-52VM-MXX8-F227
7.7

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

Amit Schendel
Amit Schendel
3 views•5 min read
•about 2 hours ago•GHSA-C43V-4CR8-6MVP
6.5

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

Alon Barad
Alon Barad
3 views•8 min read
•about 2 hours ago•GHSA-86VW-X4WW-X467
8.6

CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 3 hours ago•GHSA-382C-VX95-W3P5
6.5

GHSA-382C-VX95-W3P5: Missing Access Control on Profile Endpoint and MCP Tool in Gittensory

An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.

Alon Barad
Alon Barad
4 views•6 min read
•about 19 hours ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
6 views•5 min read