Listen to this Post
How the CVE works
The vulnerability exists in `Redirect30xInterceptor.java` when following a cross-origin redirect or an HTTPS-to‑HTTP downgrade. The client computes `stripAuth` as `true` whenever the redirect crosses an origin, downgrades the scheme, or when `AsyncHttpClientConfigisStripAuthorizationOnRedirect()` is enabled. In the vulnerable `propagatedHeaders()` method, only `Authorization` and `Proxy-Authorization` headers are removed when `stripAuth` is true. The `Cookie` header is not stripped, so session cookies, CSRF tokens, API keys, and other sensitive cookie values are forwarded to the redirect target – which may be attacker‑controlled. The companion test class `RedirectCredentialSecurityTest` lacks coverage for cookies, allowing the regression to go unnoticed. The fix adds `COOKIE` to the headers removed alongside `AUTHORIZATION` and `PROXY_AUTHORIZATION` on the security‑boundary branch.
DailyCVE form
Platform: async-http-client
Version: < 2.15.0 / < 3.0.10
Vulnerability: Cookie leak
Severity: Medium
date: 2026-05-13
Prediction: Patched in 2.15.0 / 3.0.10 (May 2026)
What Undercode Say:
Check for vulnerable versions
grep -E "org.asynchttpclient:async-http-client" pom.xml | grep -E "2.[0-9]+.[0-9]+|3.0.[0-9]+"
Example code that triggers the leak
AsyncHttpClient client = asyncHttpClient();
Request request = new RequestBuilder("GET")
.setUrl("https://trusted-api.com/endpoint")
.setHeader("Cookie", "session=abc123; csrf=xyz789")
.build();
client.executeRequest(request).get(); Cookies are leaked on cross‑origin redirect
Upgrade to patched version
For Maven: update to 2.15.0 or 3.0.10
<dependency>
<groupId>org.asynchttpclient</groupId>
<artifactId>async-http-client</artifactId>
<version>3.0.10</version>
</dependency>
Exploit:
An attacker controls a redirect target via an open redirect on a trusted API, a compromised CDN, or a MITM on an HTTP hop. The vulnerable client sends the original request with a `Cookie` header to the trusted domain, which replies with a 302 redirect to an attacker‑controlled URL (e.g., https://evil.com`). Because `Cookie` is not stripped, the client forwards the entire `Cookie` header toevil.com, allowing the attacker to capture session identifiers, CSRF tokens, API keys, and tracking IDs.SameSite=Strict`) to limit impact if a leak occurs.
<h2 style="color: blue;">Protection from this CVE</h2>
- Upgrade to async-http-client 2.15.0 or 3.0.10 immediately.
- If upgrading is not possible, disable automatic redirect following and manually validate each redirect target before proceeding.
- Monitor for outgoing requests that contain `Cookie` headers to untrusted domains.
- Use short‑lived, host‑restricted cookies (e.g., `SameSite=Lax` or
Impact
- Session hijacking – leaked session cookies allow impersonation of the victim user.
- CSRF token theft – tokens carried in cookies can be used to forge state‑changing requests.
- API key theft – keys stored in cookies are exposed to the attacker.
- Privacy leakage – tracking identifiers can be harvested, enabling cross‑site user tracking.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

