Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-22227

Опубликовано: 16 июл. 2025
Источник: redhat
CVSS3: 6.1

Описание

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

A flaw was found in io.projectreactor.netty/reactor-netty. Reactor Netty’s HTTP client, when explicitly configured to follow redirects in chained redirect scenarios, can inadvertently leak credentials. This flaw allows an attacker to trigger this credential leakage by manipulating the redirect chain. This issue exposes sensitive information to an attacker who can observe the network traffic.

Отчет

This vulnerability is rated as Moderate because it requires a specific, non-default configuration to be exploitable. While it involves the leakage of credentials, the impact is lessened by the prerequisite that the Reactor Netty HTTP client must be explicitly configured to follow redirects. This requirement reduces the likelihood of widespread, automatic exploitation.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat build of Apache Camel for Spring Boot 4reactor-nettyFix deferred
Red Hat Fuse 7reactor-nettyFix deferred
Red Hat JBoss Enterprise Application Platform 7reactor-nettyFix deferred
Red Hat JBoss Enterprise Application Platform 8reactor-nettyFix deferred
Red Hat JBoss Enterprise Application Platform Expansion Packreactor-nettyFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-601
https://bugzilla.redhat.com/show_bug.cgi?id=2380447io.projectreactor.netty/reactor-netty: Reactor Netty Credential Leak via Redirects

6.1 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-22227

CVSS3: 6.1
nvd
7 месяцев назад

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

github логотип

GHSA-4q2v-9p7v-3v22

CVSS3: 6.1
github
7 месяцев назад

Reactor Netty HTTP is vulnerable to credential leaks during chained redirects

6.1 Medium

CVSS3