CVE-2025-27820

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-27820
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27820.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27820
Aliases
Downstream
Related
Published
2025-04-24T12:15:16.723Z
Modified
2026-04-10T05:25:04.795077Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

References

Affected packages

Git / github.com/apache/httpcomponents-client

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpcomponents-client
Events
Introduced
84cccfe6300bca6b37abd05af527df08a781b677
Fixed
48236f5f1a7b78f4446d2c00c4c25c598148f57b
Database specific 
{
    "versions": [
        {
            "introduced": "5.4"
        },
        {
            "fixed": "5.4.3"
        }
    ]
}

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27820.json"