VulnerableCode Package Details - pkg:maven/org.asynchttpclient/async-http-client@2.0.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-dp8j-y3uk-2qa5 Aliases: CVE-2017-14063 GHSA-93jq-624g-4p9p	Improper Input Validation Async Http Client can be tricked into connecting to a host different from the one extracted by `java.net.URI` if a `?` character occurs in a fragment identifier.	2.0.35 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-hsyh-djpj-9bb6 Aliases: CVE-2026-40490 GHSA-cmxv-58fp-fm3g	The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.	2.14.5 Affected by 0 other vulnerabilities. 3.0.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-dp8j-y3uk-2qa5
Aliases:
CVE-2017-14063
GHSA-93jq-624g-4p9p

Improper Input Validation Async Http Client can be tricked into connecting to a host different from the one extracted by `java.net.URI` if a `?` character occurs in a fragment identifier.

2.0.35
Affected by 1 other vulnerability.

VCID-hsyh-djpj-9bb6
Aliases:
CVE-2026-40490
GHSA-cmxv-58fp-fm3g

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.

2.14.5
Affected by 0 other vulnerabilities.

3.0.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:02:33.453462+00:00	GitLab Importer	Affected by	VCID-hsyh-djpj-9bb6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.asynchttpclient/async-http-client/CVE-2026-40490.yml	38.6.0
2026-06-04T20:08:42.151167+00:00	GitLab Importer	Affected by	VCID-dp8j-y3uk-2qa5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.asynchttpclient/async-http-client/CVE-2017-14063.yml	38.6.0
2026-06-04T18:23:51.245922+00:00	GHSA Importer	Affected by	VCID-dp8j-y3uk-2qa5	https://github.com/advisories/GHSA-93jq-624g-4p9p	38.6.0