SCA: security update for org.asynchttpclient:async-http-client (GHSA-fmxf-pm6p-7xgm)

high Tenable Cloud Security Plugin ID 442064

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and
asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior
to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different
origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and
`Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other
sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the
issue. (CVE-2026-45300)

Solution

Update the org.asynchttpclient:async-http-client library and its related packages to version 2.15.0 or later.

See Also

https://github.com/advisories/GHSA-fmxf-pm6p-7xgm

Plugin Details

Severity: High

ID: 442064

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 5/18/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.2

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-45300

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/18/2026

Vulnerability Publication Date: 5/18/2026

Reference Information

CVE: CVE-2026-45300

cwe: CWE-200