CVE-2024-53990— AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s

EPSS 0.48% · P65 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-53990

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s

Source: NVD (National Vulnerability Database)

Vulnerability Description

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

认证机制不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

Async Http Client 授权问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Async Http Client是AsyncHttpClient开源的适用于Java的异步Http和WebSocket客户端库。 Async Http Client 3.0.0版本存在授权问题漏洞，该漏洞源于自动启用并自管理的CookieStore处理机制，在处理HTTP请求时可能会导致用户间Cookie混淆。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
AsyncHttpClient	async-http-client	< 3.0.1	-

II. Public POCs for CVE-2024-53990

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-53990

请登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: async-http-client

CVE-2026-40490
AsyncHttpClient leaks authorization credentials to untrusted

Same vendor: AsyncHttpClient

CVE-2026-40490
AsyncHttpClient leaks authorization credentials to untrusted

Same weakness: CWE-287

V. Comments for CVE-2024-53990

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2024-53990— AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s

I. Basic Information for CVE-2024-53990

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-53990

III. Intelligence Information for CVE-2024-53990

IV. Related Vulnerabilities

V. Comments for CVE-2024-53990

Leave a comment