{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/asynchttpclient/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["async-http-client (\u003e= 3.0.0.Beta1, \u003c 3.0.10)","async-http-client (\u003e= 2.0.0, \u003c 2.15.0)"],"_cs_severities":["high"],"_cs_tags":["cookie","header","redirect","vulnerability","ghsa","CVE-2026-45300"],"_cs_type":"advisory","_cs_vendors":["AsyncHttpClient"],"content_html":"\u003cp\u003eThe async-http-client library is vulnerable to leaking \u003ccode\u003eCookie\u003c/code\u003e headers to cross-origin redirect targets. Specifically, when following a redirect across a security boundary (different origin, or HTTPS→HTTP downgrade), the \u003ccode\u003epropagatedHeaders()\u003c/code\u003e method in \u003ccode\u003eRedirect30xInterceptor.java\u003c/code\u003e does not strip the \u003ccode\u003eCookie\u003c/code\u003e header, leading to potential exposure of session cookies, CSRF tokens, and API keys. This vulnerability exists in versions of \u003ccode\u003easync-http-client\u003c/code\u003e between 3.0.0.Beta1 and 3.0.10, as well as between 2.0.0 and 2.15.0. Attackers can exploit this by crafting malicious redirects that forward sensitive cookie data to attacker-controlled destinations, potentially leading to session hijacking and data theft. This matters for defenders as it exposes applications using the affected library to significant security risks if they rely on redirects with cookies for authentication or authorization. The vulnerability is fixed in versions 3.0.10 and 2.15.0. CVE-2026-45300 has been assigned to this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim\u0026rsquo;s application initiates an HTTP request to a trusted API endpoint.\u003c/li\u003e\n\u003cli\u003eThe trusted API endpoint responds with a 302 redirect to a malicious URL (e.g., \u003ccode\u003ehttps://evil.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRedirect30xInterceptor.java\u003c/code\u003e class in \u003ccode\u003easync-http-client\u003c/code\u003e processes the redirect.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epropagatedHeaders()\u003c/code\u003e method is called to determine which headers to forward.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the \u003ccode\u003eCookie\u003c/code\u003e header is not stripped, unlike \u003ccode\u003eAuthorization\u003c/code\u003e and \u003ccode\u003eProxy-Authorization\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003easync-http-client\u003c/code\u003e library forwards the original request, including the \u003ccode\u003eCookie\u003c/code\u003e header, to the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled server at \u003ccode\u003eevil.com\u003c/code\u003e receives the leaked \u003ccode\u003eCookie\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker can then extract sensitive information from the \u003ccode\u003eCookie\u003c/code\u003e header, such as session IDs, CSRF tokens, or API keys for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eSession hijacking\u003c/strong\u003e: Attackers can use leaked session cookies to impersonate legitimate users.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCSRF token theft\u003c/strong\u003e: Attackers can steal CSRF tokens carried in cookies to perform unauthorized actions on behalf of the user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAPI key theft\u003c/strong\u003e: Attackers can obtain API keys stored in cookies to access sensitive resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivacy breaches\u003c/strong\u003e: Tracking identifiers leak to third-party origins, compromising user privacy.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eAttack scenarios include open-redirects in trusted API endpoints, compromised CDNs or API gateways injecting redirects, and man-in-the-middle attacks on plaintext hops in the redirect chain.  Organizations using vulnerable versions of \u003ccode\u003easync-http-client\u003c/code\u003e are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003easync-http-client\u003c/code\u003e to version 3.0.10 or 2.15.0 to patch the vulnerability as described in the fix details.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AsyncHttpClient Cookie Leak via Redirect\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview and audit application code to ensure proper handling of redirects and cookie security.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious redirects to external domains and unexpected cookie transfers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T16:44:58Z","date_published":"2026-05-18T16:44:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-async-http-cookie-leak/","summary":"The async-http-client library leaks `Cookie` headers to cross-origin redirect targets due to missing header stripping in `Redirect30xInterceptor.java`, potentially exposing sensitive information to malicious third parties.","title":"async-http-client Cookie Header Leak on Cross-Origin Redirect","url":"https://feed.craftedsignal.io/briefs/2026-05-async-http-cookie-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — AsyncHttpClient","version":"https://jsonfeed.org/version/1.1"}