| Name | CVE-2025-27820 |
| Description | A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| httpcomponents-client (PTS) | bullseye | 4.5.13-2 | fixed |
| sid, trixie, bookworm | 4.5.14-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| httpcomponents-client | source | (unstable) | (not affected) |
- httpcomponents-client <not-affected> (Vulnerable code introduced later)
https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8
Introduced with: https://github.com/apache/httpcomponents-client/pull/574 (5.4-RC1)
Fixed by: https://github.com/apache/httpcomponents-client/pull/621
Fixed by: https://github.com/apache/httpcomponents-client/commit/c68724713ab8e4a41992d230d41f8dfe0a1a7ba5 (master)
Fixed by: https://github.com/apache/httpcomponents-client/commit/bff9c4772bc0824570d43969ce87886d01766b1c (5.4.3-RC1)