GHSA-4q2v-9p7v-3v22

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-200"
    ],
    "nvd_published_at": "2025-07-16T10:15:27Z",
    "github_reviewed_at": "2025-07-16T20:35:41Z"
}

References

Affected packages

Maven / io.projectreactor.netty:reactor-netty-http

Package

Name: io.projectreactor.netty:reactor-netty-http; View open source insights on deps.dev
Purl: pkg:maven/io.projectreactor.netty/reactor-netty-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0-M1

Fixed

1.3.0-M5

Affected versions

1.*

1.3.0-M1

1.3.0-M2

1.3.0-M3

1.3.0-M4

Maven / io.projectreactor.netty:reactor-netty-http

Package

Name: io.projectreactor.netty:reactor-netty-http; View open source insights on deps.dev
Purl: pkg:maven/io.projectreactor.netty/reactor-netty-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.8

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

1.0.23

1.0.24

1.0.25

1.0.26

1.0.27

1.0.28

1.0.29

1.0.30

1.0.31

1.0.32

1.0.33

1.0.34

1.0.35

1.0.36

1.0.37

1.0.38

1.0.39

1.0.40

1.0.41

1.0.42

1.0.43

1.0.44

1.0.45

1.0.46

1.0.47

1.0.48

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.1.15

1.1.16

1.1.17

1.1.18

1.1.19

1.1.20

1.1.21

1.1.22

1.1.23

1.1.24

1.1.25

1.1.26

1.1.27

1.1.28

1.1.29

1.1.30

1.1.31

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7