CVE-2024-53990

AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s

Description

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.

Category

9.2
CVSS
Severity: Critical
CVSS 4.0 •
EPSS 0.11%
Affected: AsyncHttpClient async-http-client
Published at:
Updated at:

References

Link Tags
https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-mfj5-cf8g-g2fv
https://github.com/AsyncHttpClient/async-http-client/issues/1964
https://github.com/AsyncHttpClient/async-http-client/pull/2033
https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425

Frequently Asked Questions

What is the severity of CVE-2024-53990?
CVE-2024-53990 has been scored as a critical severity vulnerability.
How to fix CVE-2024-53990?
To fix CVE-2024-53990, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-53990 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-53990 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-53990?
CVE-2024-53990 affects AsyncHttpClient async-http-client.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.