CVE-2026-45300

HIGH 7.4

async-http-client: Cookie header not stripped on cross-origin redirect

CVSS Score

7.4

EPSS Score

0.0%

EPSS Percentile

0th

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.

CWE	CWE-200
Vendor	asynchttpclient
Product	async-http-client
Published	Jun 5, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for asynchttpclient async-http-client

Be the first to know when new high vulnerabilities affecting asynchttpclient async-http-client are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

AsyncHttpClient / async-http-client

>= 3.0.0.Beta1, < 3.0.10 >= 2.0.0, < 2.15.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm github.com: https://github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e github.com: https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10