CVE-2026-45300: async-http-client: Cookie header not stripped on cross-origin redirect
(updated )
async-http-client leaks Cookie headers to cross-origin redirect targets. When following a redirect across a security boundary (different origin, or HTTPS→HTTP downgrade), the propagatedHeaders() method in Redirect30xInterceptor.java strips Authorization and Proxy-Authorization headers but does not strip Cookie, so session cookies and other sensitive cookie values are forwarded to the redirect target — which may be attacker-controlled.
References
- github.com/AsyncHttpClient/async-http-client/commit/3b0e3e9e
- github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.10
- github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-fmxf-pm6p-7xgm
- github.com/advisories/GHSA-fmxf-pm6p-7xgm
- nvd.nist.gov/vuln/detail/CVE-2026-45300
Code Behaviors & Features
Detect and mitigate CVE-2026-45300 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →