PT-2026-53794 · Maven · Org.Http4K:Http4K-Core

Published

2026-06-19

·

Updated

2026-06-19

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Impact

The previous BasicCookieStorage did not enforce RFC 6265 scoping rules around cookie domain, path, and Secure attribute. A client using a single storage instance to talk to multiple origins could have cookies leak across domains, or have Secure cookies sent over plain HTTP — the deprecation message states it bluntly: "BasicCookieStorage has no domain/path/scheme scoping and leaks cookies across origins. Use DefaultCookieStorage instead."
Who is affected: any client using BasicCookieStorage directly with cookies for more than one origin or scheme. Single-origin uses are unaffected.

Patches

LineFixed inEdition
v6.x (Community)6.48.0.0Community
v5.x (LTS)5.42.0.0Enterprise — contact enterprise@http4k.org
v4.x (LTS)4.51.0.0Enterprise — contact enterprise@http4k.org
The fix introduces DefaultCookieStorage (RFC 6265 compliant) as the drop-in default; BasicCookieStorage is renamed InsecureCookieStorage and remains available for callers with a deliberate need for the old behaviour.

Workarounds

For deployments that cannot upgrade immediately:
  • Use a dedicated BasicCookieStorage instance per origin / scheme, or
  • Switch to a separate RFC 6265-compliant cookie store implementation.

References

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-PR33-38XX-6R26

Affected Products

Org.Http4K:Http4K-Core