{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27820", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-03-07T12:47:46.839Z", "datePublished": "2025-04-24T11:44:25.986Z", "dateUpdated": "2025-04-24T15:00:16.197Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HttpComponents", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.4.3", "status": "affected", "version": "5.4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Joe Gallo"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<code>A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release<br></code>"}], "value": "A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "PSL Validation Bypass in Apache HttpClient 5.4.x", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-04-24T11:44:25.986Z"}, "references": [{"url": "https://github.com/apache/httpcomponents-client/pull/574"}, {"url": "https://github.com/apache/httpcomponents-client/pull/621"}, {"url": "https://hc.apache.org/httpcomponents-client-5.4.x/index.html"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache HttpComponents: PSL (Public Suffix List) validation bypass", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-295", "lang": "en", "description": "CWE-295 Improper Certificate Validation"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-24T14:58:16.247019Z", "id": "CVE-2025-27820", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T15:00:16.197Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-27820", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-24T14:58:16.247019Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T15:00:10.537Z"}}], "cna": {"title": "Apache HttpComponents: PSL (Public Suffix List) validation bypass", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "remediation developer", "value": "Joe Gallo"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HttpComponents", "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/apache/httpcomponents-client/pull/574"}, {"url": "https://github.com/apache/httpcomponents-client/pull/621"}, {"url": "https://hc.apache.org/httpcomponents-client-5.4.x/index.html"}, {"url": "https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release", "supportingMedia": [{"type": "text/html", "value": "<code>A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release<br></code>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "PSL Validation Bypass in Apache HttpClient 5.4.x"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-04-24T11:44:25.986Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27820", "state": "PUBLISHED", "dateUpdated": "2025-04-24T15:00:16.197Z", "dateReserved": "2025-03-07T12:47:46.839Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-04-24T11:44:25.986Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release"}, {"lang": "es", "value": "Un error en la l\u00f3gica de validaci\u00f3n de PSL en Apache HttpClient 5.4.x deshabilita las comprobaciones de dominio, lo que afecta la gesti\u00f3n de cookies y la verificaci\u00f3n del nombre de host. Descubierto por el equipo de Apache HttpClient. Corregido en la versi\u00f3n 5.4.3."}], "id": "CVE-2025-27820", "lastModified": "2025-04-29T13:52:47.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-24T12:15:16.723", "references": [{"source": "security@apache.org", "url": "https://github.com/apache/httpcomponents-client/pull/574"}, {"source": "security@apache.org", "url": "https://github.com/apache/httpcomponents-client/pull/621"}, {"source": "security@apache.org", "url": "https://hc.apache.org/httpcomponents-client-5.4.x/index.html"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass", "id": "2362042", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362042"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release", "A flaw was found in Apache HttpClient. This vulnerability allows unauthorized access or information disclosure via disabled Public Suffix List (PSL) validation, affecting cookie management and hostname verification."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-27820", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Fix deferred", "package_name": "httpclient5", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "quarkus-camel-bom", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "quarkus-cxf-bom", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-modelmesh-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "httpclient5", "product_name": "streams for Apache Kafka"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "httpclient5", "product_name": "streams for Apache Kafka 2"}], "public_date": "2025-04-24T11:44:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27820\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27820\nhttps://github.com/advisories/GHSA-73m2-qfq3-56cx\nhttps://github.com/apache/httpcomponents-client/pull/574\nhttps://github.com/apache/httpcomponents-client/pull/621\nhttps://hc.apache.org/httpcomponents-client-5.4.x/index.html\nhttps://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8"], "statement": "This vulnerability is rated Moderate due to the high attack complexity required for exploitation, the limited impact on confidentiality, and the fact that the issue does not allow direct system compromise or denial of service. While the failure to load the Public Suffix List weakens hostname and cookie validation, it does not lead to immediate critical security breaches, and mitigation techniques such as manual cookie domain validation and other security measures typically reduce the risk in real-world scenarios.", "threat_severity": "Moderate"}