Auth bypass in Asynchttpclient Async-http-client

CVE-2024-53990

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) wil…

Vulnerability class: Broken Authentication

EPSS: 0.004 (63.5th percentile) — read the EPSS interpretation.

Affected products

Asynchttpclient Async-http-client — versions < 3.0.1

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-mfj5-cf8g-g2fv (x_refsource_CONFIRM)
https://github.com/AsyncHttpClient/async-http-client/issues/1964 (x_refsource_MISC)
https://github.com/AsyncHttpClient/async-http-client/pull/2033 (x_refsource_MISC)
https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425 (x_refsource_MISC)