CVE-2026-40490

MEDIUM6.8EPSS 0.07%

AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects

發布日:2026/4/14修改日:2026/5/5

描述

### Impact When redirect following is enabled (followRedirect(true)), AsyncHttpClient forwards Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. ### Patches Fixed in version 3.0.9 or 2.14.5. Users should upgrade immediately. The fix automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. ### Workarounds For users unable to upgrade, set (stripAuthorizationOnRedirect(true)) in the client config and avoid using Realm-based authentication with redirect following enabled. Note that (stripAuthorizationOnRedirect(true)) alone is insufficient on versions prior to 3.0.9 or 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (followRedirect(false)) and handle redirects manually with origin validation. ### References - Fix commit: https://github.com/AsyncHttpClient/async-http-client/commit/6b2fbb7f8

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1MEDIUM6.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

參考連結(8)