org.asynchttpclient:async-http-client 2.0.0-alpha21

Direct Vulnerabilities

Known vulnerabilities in the org.asynchttpclient:async-http-client package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Exposure of Sensitive System Information to an Unauthorized Control Sphere org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the `propagatedHeaders()` method during cross-origin redirects, where `Cookie` headers are not stripped when forwarding requests to a new origin. An attacker can obtain sensitive session cookies, CSRF tokens, or API keys by leveraging an open redirect, a compromised CDN or API gateway, or a man-in-the-middle attack on a plaintext hop in the redirect chain. How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere? Upgrade `org.asynchttpclient:async-http-client` to version 2.15.0, 3.0.10 or higher.	[,2.15.0)[3.0.0.Beta1,3.0.10)
H Origin Validation Error org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes. Affected versions of this package are vulnerable to Origin Validation Error in the `Redirect30xInterceptor` class. An attacker in control of a cross-origin redirect target via a different exploit such as open redirect or DNS rebinding, or who is in a MitM position on HTTP connections, can leak `Authorization` and `Proxy-Authorization` headers. This is only exploitable if redirect following is enabled - i.e. `followRedirect(true)`. How to fix Origin Validation Error? Upgrade `org.asynchttpclient:async-http-client` to version 2.14.5, 3.0.9 or higher.	[,2.14.5)[3.0.0.Beta1,3.0.9)
H Server Side Request Forgery (SSRF) org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes. Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF). Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL. How to fix Server Side Request Forgery (SSRF)? Upgrade `org.asynchttpclient:async-http-client` to version 2.0.35 or higher.	[,2.0.35)

Vulnerability

Vulnerable Version

Exposure of Sensitive System Information to an Unauthorized Control Sphere

org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the propagatedHeaders() method during cross-origin redirects, where Cookie headers are not stripped when forwarding requests to a new origin. An attacker can obtain sensitive session cookies, CSRF tokens, or API keys by leveraging an open redirect, a compromised CDN or API gateway, or a man-in-the-middle attack on a plaintext hop in the redirect chain.

How to fix Exposure of Sensitive System Information to an Unauthorized Control Sphere?

Upgrade org.asynchttpclient:async-http-client to version 2.15.0, 3.0.10 or higher.

[,2.15.0)[3.0.0.Beta1,3.0.10)

Origin Validation Error

org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.

Affected versions of this package are vulnerable to Origin Validation Error in the Redirect30xInterceptor class. An attacker in control of a cross-origin redirect target via a different exploit such as open redirect or DNS rebinding, or who is in a MitM position on HTTP connections, can leak Authorization and Proxy-Authorization headers. This is only exploitable if redirect following is enabled - i.e. followRedirect(true).

How to fix Origin Validation Error?

Upgrade org.asynchttpclient:async-http-client to version 2.14.5, 3.0.9 or higher.

[,2.14.5)[3.0.0.Beta1,3.0.9)

Server Side Request Forgery (SSRF)

org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.

Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF). Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

How to fix Server Side Request Forgery (SSRF)?

Upgrade org.asynchttpclient:async-http-client to version 2.0.35 or higher.

[,2.0.35)

org.asynchttpclient:async-http-client@2.0.0-alpha21

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically