CVE-2025-27820 – org.apache.httpcomponents.client5:httpclient5

Package

Manager: maven
Name: org.apache.httpcomponents.client5:httpclient5
Vulnerable Version: >=5.4-alpha1 <5.4.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00043 pctl0.12444

Details

Apache HttpClient disables domain checks A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.

Metadata

Created: 2025-04-24T12:31:28Z
Modified: 2025-05-17T00:30:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-73m2-qfq3-56cx/GHSA-73m2-qfq3-56cx.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-73m2-qfq3-56cx
Finding: F163
Auto approve: 1