Vendor
The async-http-client library leaks `Cookie` headers to cross-origin redirect targets due to missing header stripping in `Redirect30xInterceptor.java`, potentially exposing sensitive information to malicious third parties.