Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS00cTJ2LTlwN3YtM3YyMs4ABKM8

Moderate EPSS: 0.00074% (0.22959 Percentile) EPSS:
Permalink JSON

Reactor Netty HTTP is vulnerable to credential leaks during chained redirects

Affected Packages Affected Versions Fixed Versions
maven:io.projectreactor.netty:reactor-netty-http < 1.2.8, >= 1.3.0-M1, < 1.3.0-M5 1.2.8, 1.3.0-M5
100 Dependent packages
919 Dependent repositories

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.0.23, 1.0.24, 1.0.25, 1.0.26, 1.0.27, 1.0.28, 1.0.29, 1.0.30, 1.0.31, 1.0.32, 1.0.33, 1.0.34, 1.0.35, 1.0.36, 1.0.37, 1.0.38, 1.0.39, 1.0.40, 1.0.41, 1.0.42, 1.0.43, 1.0.44, 1.0.45, 1.0.46, 1.0.47, 1.0.48, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.1.20, 1.1.21, 1.1.22, 1.1.23, 1.1.24, 1.1.25, 1.1.26, 1.1.27, 1.1.28, 1.1.29, 1.1.30, 1.1.31, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.3.0-M1, 1.3.0-M2, 1.3.0-M3, 1.3.0-M4

All unaffected versions

1.2.8

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

References:

Identifiers

GHSA-4q2v-9p7v-3v22

CVE-2025-22227

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00074

EPSS Percentile: 0.22959

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/reactor/reactor-netty

Date and time

Published

15 days ago

Updated

14 days ago

API

JSON