Medium severity6.1GHSA Advisory· Published Jul 16, 2025· Updated Apr 15, 2026
CVE-2025-22227
CVE-2025-22227
Description
In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.projectreactor.netty:reactor-netty-httpMaven | >= 1.3.0-M1, < 1.3.0-M5 | 1.3.0-M5 |
io.projectreactor.netty:reactor-netty-httpMaven | < 1.2.8 | 1.2.8 |
Affected products
1- Range: < 1.2.8
Patches
1522892307ea8Ensure the HTTP/2 upgrade stream inherits the proper state from the original HTTP/1.1 connection when successful upgrade from HTTP/1.1 to HTTP/2 (#3838)
3 files changed · +19 −2
reactor-netty-http/src/main/java/reactor/netty/http/client/Http2ConnectionProvider.java+1 −1 modified@@ -437,7 +437,7 @@ public void operationComplete(Future<Http2StreamChannel> future) { setChannelContext(ch, currentContext()); } HttpClientConfig.addStreamHandlers(ch, obs.then(new HttpClientConfig.StreamConnectionObserver(currentContext())), - opsFactory, acceptGzip, metricsRecorder, proxyAddress, remoteAddress, -1, uriTagValue); + opsFactory, acceptGzip, false, metricsRecorder, proxyAddress, remoteAddress, -1, uriTagValue); if (log.isDebugEnabled()) { logStreamsState(ch, http2PooledRef.slot, "Stream opened");
reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClientConfig.java+5 −1 modified@@ -600,6 +600,7 @@ static void addStreamHandlers( ConnectionObserver obs, ChannelOperations.OnSetup opsFactory, boolean acceptGzip, + boolean copyState, @Nullable ChannelMetricsRecorder metricsRecorder, @Nullable SocketAddress proxyAddress, SocketAddress remoteAddress, @@ -677,6 +678,9 @@ else if (metricsRecorder instanceof ContextAwareHttpClientMetricsRecorder) { ChannelOperations<?, ?> ops = opsFactory.create(Connection.from(ch), obs, null); if (ops != null) { ops.bind(); + if (copyState && ops instanceof HttpClientOperations) { + HttpClientOperations.copyState(((HttpClientOperations) ops)); + } } } @@ -979,7 +983,7 @@ protected void initChannel(Channel ch) { setChannelContext(ch, owner.currentContext()); } addStreamHandlers(ch, observer.then(new StreamConnectionObserver(owner.currentContext())), opsFactory, - acceptGzip, metricsRecorder, proxyAddress, remoteAddress, responseTimeoutMillis, uriTagValue); + acceptGzip, true, metricsRecorder, proxyAddress, remoteAddress, responseTimeoutMillis, uriTagValue); if (log.isDebugEnabled()) { logStreamsState(ch, http2PooledRef(owner.pooledRef).slot, "Stream opened"); }
reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClientOperations.java+13 −0 modified@@ -951,6 +951,19 @@ final void withWebsocketSupport(WebsocketClientSpec websocketClientSpec) { } } + static void copyState(HttpClientOperations streamOps) { + ChannelOperations<?, ?> ops = ChannelOperations.get(streamOps.channel().parent()); + if (ops instanceof HttpClientOperations) { + HttpClientOperations parentOps = (HttpClientOperations) ops; + if (parentOps.hasSentBody()) { + streamOps.markSentHeaderAndBody(); + } + else if (parentOps.hasSentHeaders()) { + streamOps.markSentHeaders(); + } + } + } + static Throwable addOutboundErrorCause(Throwable exception, @Nullable Throwable cause) { if (cause != null) { cause.setStackTrace(new StackTraceElement[0]);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.