EXECUTIVE SUMMARY:
CVE-2026-45300 with a CVSS score of 7.4 is a vulnerability in the async-http-client library that allows an attacker to leak sensitive cookie information to cross-origin redirect targets. The affected products are the async-http-client library, specifically versions 3.0.0.Beta1 to 3.0.10 and versions 2.0.0 to 2.15.0. The vulnerability occurs when the library fails to strip cookie headers on cross-origin redirects, allowing an attacker to access sensitive information such as session cookies, CSRF tokens, and API keys. An attacker can exploit this vulnerability by using an open-redirect in a trusted API endpoint, compromising a CDN or API gateway, or performing a Man-in-the-Middle (MITM) attack on a plaintext hop in the redirect chain. If exploited, this vulnerability could lead to session hijacking, CSRF token theft, API key theft, and privacy issues, resulting in significant business impact and consequences. To exploit this vulnerability, the attacker requires access to the redirect flow and the ability to manipulate the redirect target.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45300 with a CVSS score of 7.4 is a vulnerability in the async-http-client library that allows an attacker to leak sensitive cookie information to cross-origin redirect targets. The affected products are the async-http-client library, specifically versions 3.0.0.Beta1 to 3.0.10 and versions 2.0.0 to 2.15.0. The vulnerability occurs when the library fails to strip cookie headers on cross-origin redirects, allowing an attacker to access sensitive information such as session cookies, CSRF tokens, and API keys. An attacker can exploit this vulnerability by using an open-redirect in a trusted API endpoint, compromising a CDN or API gateway, or performing a Man-in-the-Middle (MITM) attack on a plaintext hop in the redirect chain. If exploited, this vulnerability could lead to session hijacking, CSRF token theft, API key theft, and privacy issues, resulting in significant business impact and consequences. To exploit this vulnerability, the attacker requires access to the redirect flow and the ability to manipulate the redirect target.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-fmxf-pm6p-7xgm