CVE-2025-22227 – io.projectreactor.netty:reactor-netty-http

Package

Manager: maven
Name: io.projectreactor.netty:reactor-netty-http
Vulnerable Version: >=1.3.0-m1 <1.3.0-m5 || >=0 <1.2.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00094 pctl0.27152

Details

Reactor Netty HTTP is vulnerable to credential leaks during chained redirects In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Metadata

Created: 2025-07-16T12:30:21Z
Modified: 2025-07-16T20:35:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-4q2v-9p7v-3v22/GHSA-4q2v-9p7v-3v22.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-4q2v-9p7v-3v22
Finding: F017
Auto approve: 1