Authentication Leak On Redirect With Reactor Netty HttpClient
Description
The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reactor Netty HttpClient leaks credentials when following a redirect to a different domain if configured to follow redirects.
According to the NVD entry [1], the HttpClient from Reactor Netty versions 0.9.x prior to 0.9.5 and 0.8.x prior to 0.8.16 may incorrectly leak credentials during a redirect to a different domain. The root cause is that the client does not properly clear or scope credentials when following a redirect, so credentials sent in the original request are reused in the redirected request to a different domain.
To exploit this vulnerability, the HttpClient must be explicitly configured to follow redirects. An attacker can set up a malicious server that, upon receiving a request with credentials, redirects the client to a different domain under the attacker's control. If the client follows the redirect, it may send the same credentials to the attacker's server, thereby leaking them.
An attacker who successfully exploits this vulnerability can obtain sensitive credentials, such as usernames and passwords, that were intended for a legitimate server. This could lead to unauthorized access, account compromise, or further attacks against the targeted system.
The vulnerability is patched in Reactor Netty versions 0.9.5 and 0.8.16 [1]. Users are advised to upgrade to these versions. As a workaround, administrators can disable redirect following in the HttpClient if not required. No other mitigations are mentioned in the advisory.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.projectreactor.netty:reactor-netty-httpMaven | >= 0.9.0, < 0.9.5 | 0.9.5 |
io.projectreactor.netty:reactor-netty-httpMaven | >= 0.8.0, < 0.8.16 | 0.8.16 |
Affected products
2- Pivotal/Reactor Nettyv5Range: 0.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gpch-h32j-gx6xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5404ghsaADVISORY
- pivotal.io/security/cve-2020-5404ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.