PT-2026-53794 · Maven · Org.Http4K:Http4K-Core
Publicado
2026-06-19
·
Atualizado
2026-06-19
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Impact
The previous
BasicCookieStorage did not enforce RFC 6265 scoping rules around cookie domain, path, and Secure attribute. A client using a single storage instance to talk to multiple origins could have cookies leak across domains, or have Secure cookies sent over plain HTTP — the deprecation message states it bluntly: "BasicCookieStorage has no domain/path/scheme scoping and leaks cookies across origins. Use DefaultCookieStorage instead."Who is affected: any client using
BasicCookieStorage directly with cookies for more than one origin or scheme. Single-origin uses are unaffected.Patches
| Line | Fixed in | Edition |
|---|---|---|
| v6.x (Community) | 6.48.0.0 | Community |
| v5.x (LTS) | 5.42.0.0 | Enterprise — contact enterprise@http4k.org |
| v4.x (LTS) | 4.51.0.0 | Enterprise — contact enterprise@http4k.org |
The fix introduces
DefaultCookieStorage (RFC 6265 compliant) as the drop-in default; BasicCookieStorage is renamed InsecureCookieStorage and remains available for callers with a deliberate need for the old behaviour.Workarounds
For deployments that cannot upgrade immediately:
- Use a dedicated
BasicCookieStorageinstance per origin / scheme, or - Switch to a separate RFC 6265-compliant cookie store implementation.
References
- Fix release: v6.48.0.0
- Cookie storage rewrite:
6a9b44d743 - Background: RFC 6265 — HTTP State Management Mechanism
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Org.Http4K:Http4K-Core