AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s

The core of this vulnerability lies in the asynchronous nature of Async HTTP Client and its automatic CookieStore management. When making HTTP requests, the CookieStore silently overwrites explicitly provided cookies with any cookies sharing the same name that are already stored within the jar. In multi-user environments, this means a malicious actor could potentially craft a request that replaces one user's session cookie with another's, effectively impersonating that user. This could lead to unauthorized access to sensitive data, modification of user accounts, or even complete control over the application. The impact is particularly severe for applications handling sensitive information like financial transactions or personal data, as session hijacking can grant attackers full access to user accounts and associated resources.

Applications utilizing Async HTTP Client versions 2.9.0 and earlier, particularly those deployed in multi-user environments or handling sensitive data, are at significant risk. Shared hosting environments where multiple applications share the same Async HTTP Client instance are especially vulnerable, as a compromise in one application could potentially impact others.

• java / application: Monitor application logs for unexpected cookie values or unusual user activity. Examine request payloads for attempts to inject malicious cookies. • java / dependency: Use dependency scanning tools to identify instances of vulnerable Async HTTP Client versions in your projects.

./mvn dependency:tree | grep 'org.asynchttpclient:async-http-client' 

• generic web: Inspect HTTP response headers for unexpected cookie values. Use browser developer tools to monitor cookie behavior during user sessions. • generic web: Check for unusual user sessions or login attempts in application logs.

1. 2024-12-02Disclosure

   disclosure

2. 2024-12-02PoC

   poc

3. 2024-12-02Patch

   patch

1. 予約済み2024-11-25
2. 公開日2024-12-02
3. 更新日2026-02-04
4. EPSS 更新日2026-04-02

The primary mitigation for CVE-2024-53990 is to upgrade to version 2.12.4 or later of Async HTTP Client. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider disabling the automatic CookieStore and managing cookies explicitly in your application code. This provides greater control over cookie handling and prevents the silent replacement behavior. As a temporary workaround, you could implement stricter cookie validation logic within your application to detect and reject unexpected cookie values. Monitor application logs for unusual cookie activity, which could indicate an attempted exploitation. After upgrading, confirm the fix by sending requests with explicit cookies and verifying that they are not being overwritten by the CookieStore.