#VU109240 Configuration in Apache Commons HttpClient - CVE-2025-27820

Cybersecurity Help s.r.o.

Published: 2025-05-16

Vulnerability identifier: #VU109240

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-27820

CWE-ID: CWE-16

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Commons HttpClient
Other software / Other software solutions

Vendor: Apache Foundation

Description

The issue may allow a remote attacker to bypass security restrictions.

The issue exists due to an error in PSL validation logic that disables domain checks, affecting cookie management and host name verification. A remote attacker can gain unauthorized access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Commons HttpClient: 5.4 - 5.4.2

External links
https://github.com/apache/httpcomponents-client/pull/574
https://github.com/apache/httpcomponents-client/pull/621
https://hc.apache.org/httpcomponents-client-5.4.x/index.html
https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Information disclosure in Apache HttpClient