GHSA-73m2-qfq3-56cx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-73m2-qfq3-56cx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-73m2-qfq3-56cx/GHSA-73m2-qfq3-56cx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-73m2-qfq3-56cx
- Aliases
- Downstream
- Published
- 2025-04-24T12:31:28Z
- Modified
- 2025-05-17T01:09:56.645474Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Apache HttpClient disables domain checks
- Details
-
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.
- Database specific
{ "severity": "HIGH", "nvd_published_at": "2025-04-24T12:15:16Z", "cwe_ids": [ "CWE-295" ], "github_reviewed_at": "2025-04-24T16:36:08Z", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-27820
- https://github.com/apache/httpcomponents-client/pull/574
- https://github.com/apache/httpcomponents-client/pull/621
- https://github.com/apache/httpcomponents-client
- https://hc.apache.org/httpcomponents-client-5.4.x/index.html
- https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8
- https://security.netapp.com/advisory/ntap-20250516-0003
Affected packages
Maven / org.apache.httpcomponents.client5:httpclient5
Package
- Name
- org.apache.httpcomponents.client5:httpclient5
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.httpcomponents.client5/httpclient5