[GHSA-cmxv-58fp-fm3g] AsyncHttpClient leaks authorization credentialsto untrusted domains on cross-origin redirects#7493
Conversation
|
Hi there @hyperxpro! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
hyperxpro/advisory-improvement-7493
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed advisory for GHSA-cmxv-58fp-fm3g to reflect the backported fix on the 2.x release line and to refine affected version ranges for AsyncHttpClient.
Changes:
- Update advisory details to note fixes in both 3.0.9 (3.x) and 2.14.5 (2.x).
- Refine the affected-version range for the 3.x line and add a new affected range for the 2.x line.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "aliases": [ | ||
| "CVE-2026-40490" | ||
| ], | ||
| "summary": "AsyncHttpClient leaks authorization credentialsto untrusted domains on cross-origin redirects", |
There was a problem hiding this comment.
The summary contains a typo: "credentialsto" is missing a space. Consider updating it to "credentials to" for readability/searchability.
| "summary": "AsyncHttpClient leaks authorization credentialsto untrusted domains on cross-origin redirects", | |
| "summary": "AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects", |
Updates
Comments
Vulnerability fix was backported to 2.x release line in 2.14.5 release.