async-http-client: Cookie header not stripped on cross-origin redirect
CVE-2026-45300
7.4HIGH
What is CVE-2026-45300?
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak Cookie headers to cross-origin redirect targets. When following a redirect to a different origin, the propagatedHeaders() method in Redirect30xInterceptor.java strips Authorization and Proxy-Authorization headers but does not strip the Cookie header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.
Affected Version(s)
async-http-client >= 3.0.0.Beta1, < 3.0.10 < 3.0.0.Beta1, 3.0.10
async-http-client >= 2.0.0, < 2.15.0 < 2.0.0, 2.15.0