Home

Description

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

PUBLISHED Reserved 2025-03-07 | Published 2025-04-24 | Updated 2025-06-04 | Assigner apache

Problem types

PSL Validation Bypass in Apache HttpClient 5.4.x

Product status

Default status
unaffected

5.4.0 (semver) before 5.4.3
affected

Credits

Joe Gallo remediation developer

References

security.netapp.com/advisory/ntap-20250516-0003/

github.com/apache/httpcomponents-client/pull/574 patch

github.com/apache/httpcomponents-client/pull/621 patch

hc.apache.org/httpcomponents-client-5.4.x/index.html product

lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8 vendor-advisory

cve.org (CVE-2025-27820)

nvd.nist.gov (CVE-2025-27820)

Download JSON