PT-2026-53794 · Maven · Org.Http4K:Http4K-Core
Published
2026-06-19
·
Updated
2026-06-19
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Impact
The previous
BasicCookieStorage did not enforce RFC 6265 scoping rules around cookie domain, path, and Secure attribute. A client using a single storage instance to talk to multiple origins could have cookies leak across domains, or have Secure cookies sent over plain HTTP — the deprecation message states it bluntly: "BasicCookieStorage has no domain/path/scheme scoping and leaks cookies across origins. Use DefaultCookieStorage instead."Who is affected: any client using
BasicCookieStorage directly with cookies for more than one origin or scheme. Single-origin uses are unaffected.Patches
| Line | Fixed in | Edition |
|---|---|---|
| v6.x (Community) | 6.48.0.0 | Community |
| v5.x (LTS) | 5.42.0.0 | Enterprise — contact enterprise@http4k.org |
| v4.x (LTS) | 4.51.0.0 | Enterprise — contact enterprise@http4k.org |
The fix introduces
DefaultCookieStorage (RFC 6265 compliant) as the drop-in default; BasicCookieStorage is renamed InsecureCookieStorage and remains available for callers with a deliberate need for the old behaviour.Workarounds
For deployments that cannot upgrade immediately:
- Use a dedicated
BasicCookieStorageinstance per origin / scheme, or - Switch to a separate RFC 6265-compliant cookie store implementation.
References
- Fix release: v6.48.0.0
- Cookie storage rewrite:
6a9b44d743 - Background: RFC 6265 — HTTP State Management Mechanism
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Org.Http4K:Http4K-Core