CVE-2025-27820

Source
https://cve.org/CVERecord?id=CVE-2025-27820
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27820.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-27820
Aliases
Downstream
Related
Published
2025-04-24T11:44:25.986Z
Modified
2026-07-08T06:39:01.014947456Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Apache HttpComponents: PSL (Public Suffix List) validation bypass
Details

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27820.json",
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/httpcomponents-client

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpcomponents-client
Events
Database specific
{
    "cpe": "cpe:2.3:a:apache:httpclient:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "5.4.0"
        },
        {
            "fixed": "5.4.3"
        },
        {
            "introduced": "5.4"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27820.json"