Platform
java
Component
org.asynchttpclient:async-http-client
Fixed in
3.0.2
2.12.4
CVE-2024-53990 is a critical vulnerability affecting versions of Async HTTP Client up to 2.9.0. This flaw allows an attacker to hijack user sessions by silently replacing explicitly defined cookies with those from the internal CookieStore. The vulnerability stems from how the CookieStore handles cookie replacement, potentially impacting multi-user applications. A fix is available in version 2.12.4.
The core of this vulnerability lies in the asynchronous nature of Async HTTP Client and its automatic CookieStore management. When making HTTP requests, the CookieStore silently overwrites explicitly provided cookies with any cookies sharing the same name that are already stored within the jar. In multi-user environments, this means a malicious actor could potentially craft a request that replaces one user's session cookie with another's, effectively impersonating that user. This could lead to unauthorized access to sensitive data, modification of user accounts, or even complete control over the application. The impact is particularly severe for applications handling sensitive information like financial transactions or personal data, as session hijacking can grant attackers full access to user accounts and associated resources.
This vulnerability is considered high probability due to the ease of exploitation and the potential for widespread impact. A public proof-of-concept (POC) is available, demonstrating the cookie hijacking technique. While no active exploitation campaigns have been publicly confirmed as of the publication date (2024-12-02), the availability of a POC significantly increases the risk of exploitation. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern within the cybersecurity community.
Exploit Status
EPSS
0.33% (55% percentile)
CISA SSVC
The primary mitigation for CVE-2024-53990 is to upgrade to version 2.12.4 or later of Async HTTP Client. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider disabling the automatic CookieStore and managing cookies explicitly in your application code. This provides greater control over cookie handling and prevents the silent replacement behavior. As a temporary workaround, you could implement stricter cookie validation logic within your application to detect and reject unexpected cookie values. Monitor application logs for unusual cookie activity, which could indicate an attempted exploitation. After upgrading, confirm the fix by sending requests with explicit cookies and verifying that they are not being overwritten by the CookieStore.
Update the AsyncHttpClient library to version 2.5.4 or higher. This version fixes the vulnerability that allows the replacement of explicitly defined cookies by cookies stored in the CookieStore, thus avoiding possible security problems related to user session management.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-53990 is a critical vulnerability in Async HTTP Client versions up to 2.9.0 where the CookieStore silently replaces explicit cookies, potentially leading to user session hijacking.
If you are using Async HTTP Client versions 2.9.0 or earlier, you are potentially affected by this vulnerability. Upgrade to 2.12.4 to mitigate the risk.
The recommended fix is to upgrade to version 2.12.4 or later. If an upgrade is not immediately possible, disable the automatic CookieStore and manage cookies explicitly.
While no active exploitation campaigns have been publicly confirmed, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the Async HTTP Client GitHub issue for details: https://github.com/AsyncHttpClient/async-http-client/issues/1964
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.