The MessageConstraints in the 4.x line sets no constraints on the header line length and header max count by default. One can however easily configure MessageConstraints to have more conservative defaults without much effort. Better yet, one should migrate to the 5.x line. There is no excuse for not having done so.
I fully agree. Unfortunately, there are projects out there that still haven't done so. Hence, 4.x JARs still end up in my classpath even though our own code uses 5.x. That is the reason I had to look into this CVE with a little more scrutiny than I usually do.
If anyone decides to throw a new vulnerability report at us, similar to CVE-2026-54399, my personal preference would be to declare HttpClient 4.x end-of-life the every same moment. HttpClient 4.x is dead, please stop kicking the corpse.
Again, full ACK. However, Ryan upgrading the version to 4.4.17-SNAPSHOT in the 4.4.x branch[1] just sent a different signal.
[1] https://github.com/apache/httpcomponents-core/commit/6b8bf91fcbcbb8fe48c6cf9bb57bcbb2dd64c96d
-- Marcel Stör, https://frightanic.com My PGP key: https://frightanic.com/pgp/
OpenPGP_signature.asc
Description: OpenPGP digital signature
