Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.asynchttpclient/async-http-client@2.1.0-alpha7
Typemaven
Namespaceorg.asynchttpclient
Nameasync-http-client
Version2.1.0-alpha7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.14.5
Latest_non_vulnerable_version3.0.10
Affected_by_vulnerabilities
0
url VCID-hsyh-djpj-9bb6
vulnerability_id VCID-hsyh-djpj-9bb6
summary The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40490.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40490.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40490
reference_id
reference_type
scores
0
value 0.00071
scoring_system epss
scoring_elements 0.21741
published_at 2026-06-09T12:55:00Z
1
value 0.00071
scoring_system epss
scoring_elements 0.21849
published_at 2026-06-05T12:55:00Z
2
value 0.00071
scoring_system epss
scoring_elements 0.21837
published_at 2026-06-06T12:55:00Z
3
value 0.00071
scoring_system epss
scoring_elements 0.21791
published_at 2026-06-07T12:55:00Z
4
value 0.00071
scoring_system epss
scoring_elements 0.21733
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40490
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40490
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40490
3
reference_url https://github.com/AsyncHttpClient/async-http-client
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/AsyncHttpClient/async-http-client
4
reference_url https://github.com/AsyncHttpClient/async-http-client/commit/6b2fbb7f8
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/commit/6b2fbb7f8
5
reference_url https://github.com/AsyncHttpClient/async-http-client/commit/ae557ad35246721c09dafb2976609cd0004e78ae
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/commit/ae557ad35246721c09dafb2976609cd0004e78ae
6
reference_url https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-2.14.5
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-2.14.5
7
reference_url https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.9
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/releases/tag/async-http-client-project-3.0.9
8
reference_url https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:51:47Z/
url https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-cmxv-58fp-fm3g
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40490
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40490
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134337
reference_id 1134337
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134337
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2459390
reference_id 2459390
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2459390
12
reference_url https://github.com/advisories/GHSA-cmxv-58fp-fm3g
reference_id GHSA-cmxv-58fp-fm3g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cmxv-58fp-fm3g
fixed_packages
0
url pkg:maven/org.asynchttpclient/async-http-client@2.14.5
purl pkg:maven/org.asynchttpclient/async-http-client@2.14.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.asynchttpclient/async-http-client@2.14.5
1
url pkg:maven/org.asynchttpclient/async-http-client@3.0.9
purl pkg:maven/org.asynchttpclient/async-http-client@3.0.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.asynchttpclient/async-http-client@3.0.9
aliases CVE-2026-40490, GHSA-cmxv-58fp-fm3g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hsyh-djpj-9bb6
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.asynchttpclient/async-http-client@2.1.0-alpha7