Domain Validation Flaw in Apache HttpClient Impacts Cookie Management
CVE-2025-27820

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Httpcomponents
Vendor: CVE Published:; 24 April 2025

What is CVE-2025-27820?

A flaw in the domain validation logic of Apache HttpClient 5.4.x compromises the integrity of cookie management and host name verification, allowing unauthorized access to sensitive data. This vulnerability disables critical domain checks, paving the way for potential exploits. The issue was identified by the Apache HttpClient team and addressed in version 5.4.3, which users are strongly recommended to upgrade to in order to mitigate risks.

Affected Version(s)

Apache HttpComponents 5.4.0 < 5.4.3

References

https://github.com/apache/httpcomponents-client/pull/574

https://github.com/apache/httpcomponents-client/pull/621

https://hc.apache.org/httpcomponents-client-5.4.x/index.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2025
Vulnerability Reserved
Mar 7, 2025

Credit

Joe Gallo