PT-2026-54858 · Unknown · Async Http Client
Hyperxpro
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-55688
CVSS v3.1
4.0
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
AsyncHttpClient versions 2.0.0 through 2.15.9
AsyncHttpClient versions 3.0.0.Beta1 through 3.0.10
Description
The
ThreadSafeCookieStore component fails to verify if a responding host is authorized to set a cookie for a specific domain before storing it under that domain's attribute. This leads to cookie tossing or cookie injection, where a host connected to by the client can plant a cookie scoped to an unrelated domain. Consequently, the client will send this injected cookie in subsequent requests to that unrelated domain. This affects applications using a single, shared CookieStore instance to communicate with both a trusted host and a host influenced by an attacker.Recommendations
Update AsyncHttpClient to version 2.16.0.
Update AsyncHttpClient to version 3.0.11.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Async Http Client