Source: async-http-client
Version: 2.12.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/AsyncHttpClient/async-http-client/pull/2196
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for async-http-client.

CVE-2026-55688[0]:
| The AsyncHttpClient (AHC) library allows Java applications to easily
| execute HTTP requests and asynchronously process HTTP responses. In
| versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to
| 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its
| Domain attribute without verifying that the responding host is
| allowed to set a cookie for that domain, leading to a cookie tossing
| / cookie injection issue. A host the client connects to can
| therefore plant a cookie scoped to an unrelated domain, and the
| client will then send that cookie on later requests to that domain.
| Applications that use a single AsyncHttpClient instance - and thus
| the default, shared CookieStore - to reach both an attacker-
| influenced host and a trusted host are impacted. This issue has been
| fixed in versions 2.16.0 and 3.0.11.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-55688
    https://www.cve.org/CVERecord?id=CVE-2026-55688
[1] https://github.com/AsyncHttpClient/async-http-client/pull/2196
[2] 
https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-m452-q8c9-rg2f

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
[email protected] for discussions and questions.

Reply via email to