CVE-2024-53990 (CVSS 9.2): AsyncHttpClient Vulnerability Puts Java Applications at Risk
A critical severity vulnerability (CVE-2024-53990) has been discovered in the AsyncHttpClient (AHC) library, a popular Java library used for making asynchronous HTTP requests. This vulnerability, with a CVSS score of 9.2, could allow attackers to exploit user sessions and potentially gain unauthorized access to sensitive information.
The vulnerability stems from how the library’s CookieStore handles cookies. According to the security advisory, “the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar.”
In simpler terms, when an application using AHC makes an HTTP request with a specific cookie, the CookieStore might swap that cookie with a different one from its own store, even if the cookies have the same name. This behavior can be particularly dangerous in multi-user environments where one user’s cookie could be inadvertently used for another user’s request.
This vulnerability poses a significant risk to applications that rely on AHC for handling user authentication and authorization, especially those that interact with third-party services. As the advisory explains, “The moment a third party service responds by setting a cookie in the response, the CookieStore will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user’s information).”
The vulnerability affects AHC version 3.0.0.
Security researcher Chris Earle has been credited with discovering and reporting this vulnerability.
Developers and organizations using AHC in their applications are strongly advised to upgrade to the patched version 3.0.1 immediately.
