Sensitive Cookie with Improper SameSite Attributeorg.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.
Affected versions of this package are vulnerable to Sensitive Cookie with Improper SameSite Attribute via ThreadSafeCookieStore in ThreadSafeCookieStore.add(...). An attacker can plant a cookie for an unrelated domain by sending a response with a Set-Cookie header whose Domain attribute names a victim domain, causing the client to store that cookie and later send it on requests to the victim site. This affects applications that reuse one AsyncHttpClient cookie jar across attacker-influenced hosts and trusted hosts, such as crawlers, URL fetchers, or redirect-following clients. The result is session fixation or cookie override on the victim domain, so user requests can carry attacker-chosen cookies instead of the intended ones.
Notes
- Applications that share a single
CookieStore across both attacker-influenced origins and trusted origins are the exposed deployment pattern; isolated per-trust-domain jars are not affected by this issue.
- The stored cookie is not limited to the response host’s exact name: a response from one host can plant a cookie for an unrelated parent or sibling domain via the
Domain attribute, so later requests to that victim domain receive the attacker-chosen value.
Workarounds
- Disable the cookie store by calling
setCookieStore(null) when cookies are not needed; this prevents an attacker-influenced host from planting cookies that will later be sent to a trusted domain.
- Use a separate
AsyncHttpClient instance, with its own cookie store, for each trust domain; this prevents attacker-controlled hosts and trusted hosts from sharing the same cookie jar.
- If you must keep a shared client, supply a custom
CookieStore whose add(Uri, Cookie) rejects cookies whose Domain is not domain-matched by the request host; this blocks unrelated-domain cookies from being stored.
How to fix Sensitive Cookie with Improper SameSite Attribute? Upgrade org.asynchttpclient:async-http-client to version 2.16.0, 3.0.11 or higher.
| [,2.16.0)[3.0.0.Beta1,3.0.11) |