Source: async-http-client Version: 2.12.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/AsyncHttpClient/async-http-client/pull/2196 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for async-http-client. CVE-2026-55688[0]: | The AsyncHttpClient (AHC) library allows Java applications to easily | execute HTTP requests and asynchronously process HTTP responses. In | versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to | 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its | Domain attribute without verifying that the responding host is | allowed to set a cookie for that domain, leading to a cookie tossing | / cookie injection issue. A host the client connects to can | therefore plant a cookie scoped to an unrelated domain, and the | client will then send that cookie on later requests to that domain. | Applications that use a single AsyncHttpClient instance - and thus | the default, shared CookieStore - to reach both an attacker- | influenced host and a trusted host are impacted. This issue has been | fixed in versions 2.16.0 and 3.0.11. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-55688 https://www.cve.org/CVERecord?id=CVE-2026-55688 [1] https://github.com/AsyncHttpClient/async-http-client/pull/2196 [2] https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-m452-q8c9-rg2f Please adjust the affected versions in the BTS as needed. Regards, Salvatore

