CVE-2025-27820

high

Description

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

References

Advisories
More

https://security.netapp.com/advisory/ntap-20250516-0003/

https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8

https://hc.apache.org/httpcomponents-client-5.4.x/index.html

https://github.com/apache/httpcomponents-client/pull/621

https://github.com/apache/httpcomponents-client/pull/574

Details

Source: Mitre, NVD

Published: 2025-04-24

Updated: 2025-07-16

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N