Server Side Request Forgery (SSRF) Affecting org.asynchttpclient:async-http-client package, versions [,2.0.35)

  • Attack Complexity


  • Integrity


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    27 Sep 2017

  • disclosed

    28 Aug 2017

  • credit

    Nicolas Grégoire

How to fix?

Upgrade org.asynchttpclient:async-http-client to version 2.0.35 or higher.


org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client (AHC) classes.

Affected versions of this package are vulnerable to Server Side Request Forgery (SSRF). Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8