PT-2026-53794 · Maven · Org.Http4K:Http4K-Core

Publicado

2026-06-19

·

Atualizado

2026-06-19

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Impact

The previous BasicCookieStorage did not enforce RFC 6265 scoping rules around cookie domain, path, and Secure attribute. A client using a single storage instance to talk to multiple origins could have cookies leak across domains, or have Secure cookies sent over plain HTTP — the deprecation message states it bluntly: "BasicCookieStorage has no domain/path/scheme scoping and leaks cookies across origins. Use DefaultCookieStorage instead."
Who is affected: any client using BasicCookieStorage directly with cookies for more than one origin or scheme. Single-origin uses are unaffected.

Patches

LineFixed inEdition
v6.x (Community)6.48.0.0Community
v5.x (LTS)5.42.0.0Enterprise — contact enterprise@http4k.org
v4.x (LTS)4.51.0.0Enterprise — contact enterprise@http4k.org
The fix introduces DefaultCookieStorage (RFC 6265 compliant) as the drop-in default; BasicCookieStorage is renamed InsecureCookieStorage and remains available for callers with a deliberate need for the old behaviour.

Workarounds

For deployments that cannot upgrade immediately:
  • Use a dedicated BasicCookieStorage instance per origin / scheme, or
  • Switch to a separate RFC 6265-compliant cookie store implementation.

References

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-PR33-38XX-6R26

Produtos afetados

Org.Http4K:Http4K-Core