VYPR

Async HTTP Client

by Async HTTP Client Project

Source repositories

CVEs (6)

  • CVE-2024-53990CriDec 2, 2024
    risk 0.53cvss epss 0.01

    The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined…

  • CVE-2017-14063HigAug 31, 2017
    risk 0.49cvss 7.5epss 0.03

    Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8…

  • CVE-2026-45300HigJun 5, 2026
    risk 0.41cvss 7.4epss 0.00

    The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When…

  • CVE-2026-40490MedApr 18, 2026
    risk 0.37cvss 6.8epss 0.00

    The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and…

  • CVE-2013-7398Jun 24, 2015
    risk 0.00cvss epss 0.01

    main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an…

  • CVE-2013-7397Jun 24, 2015
    risk 0.00cvss epss 0.01

    Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate…