Key Information Vulnerability Overview CVE ID: CVE-2025-22227 Title: Authentication Leak On Redirect With Reactor Netty HTTP Client Severity: MEDIUM Release Date: July 15, 2025 Description Under certain specific scenarios, when chained redirects are present, the Reactor Netty HTTP client may leak credentials. For this to occur, the HTTP client must be explicitly configured to follow redirects. Affected Spring Products and Versions Reactor Netty: - 1.0.0 - 1.0.48 - 1.1.0 - 1.1.31 - 1.2.0 - 1.2.7 - 1.3.0 M1 - 1.3.0 M4 - Older unsupported versions are also affected. Mitigation Users of affected versions should upgrade to the corresponding fixed versions. No further mitigation steps are required. Acknowledgments This issue was responsibly reported by Martin van Wingerden. References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:A/N