SB2026041462 - Information disclosure in Async-http-client

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in redirect handling when following cross-origin redirects. A remote attacker can control a redirect target to disclose sensitive information.

The issue can leak Authorization and Proxy-Authorization headers as well as Realm credentials, including during HTTPS-to-HTTP downgrades. Even when authorization stripping is enabled, plaintext Realm credentials may still be propagated and regenerated for Basic and Digest authentication schemes.

Remediation

Install update from vendor's website.

References

• https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g
• https://github.com/advisories/GHSA-cmxv-58fp-fm3g