Hi,I tracked the fix for https://www.cve.org/CVERecord?id=CVE-2026-54399 back to https://github.com/apache/httpcomponents-core/commit/fdc53a32fe0fccf098cc67e71cd125e447c759ed. According to MITRE, only HTTP Core v5 is affected. However, the NVD updated its entry today to declare "cpe:2.3:a:apache:httpcomponents_core:*:*:*:*:*:*:*:*" be vulnerable "Up to (including) 5.4.2". While Http1Config.java isn't part of the v4.4 code base, I found that org.apache.http.config.MessageConstraints.Builder has a similar kind of -1-means-infinite logic.
Can you confirm that NVD's CPE is correct in including pre v5 versions?
Cheers, -- Marcel Stör, https://frightanic.com My PGP key: https://frightanic.com/pgp/
OpenPGP_signature.asc
Description: OpenPGP digital signature
