Cross-Origin Cookie Leakage in AsyncHttpClient Library by AsyncHttpClient
CVE-2026-45300
7.4HIGH
What is CVE-2026-45300?
The AsyncHttpClient library in Java has a vulnerability that allows sensitive Cookie headers to be leaked to third-party servers through cross-origin redirects. When the library follows a redirect to a different origin, it improperly handles the Cookie header, allowing attackers to receive session cookies and other sensitive data. The propagatedHeaders() method in Redirect30xInterceptor.java fails to strip Cookie headers, unlike the Authorization and Proxy-Authorization headers. Users of versions prior to 2.15.0 and 3.0.10 are advised to upgrade to the latest releases to mitigate this risk.
Affected Version(s)
async-http-client >= 3.0.0.Beta1, < 3.0.10 < 3.0.0.Beta1, 3.0.10
async-http-client >= 2.0.0, < 2.15.0 < 2.0.0, 2.15.0
