Primary

Context

Reactor Netty HTTP Client Authentication Leak Vulnerability

Vulnerability

Patched

A vulnerability exists in the Reactor Netty HTTP client, versions 1.0.0 through 1.0.48, 1.1.0 through 1.1.31, 1.2.0 through 1.2.7, and 1.3.0-M1 through 1.3.0-M4, where credentials can be leaked during chained redirects. This issue arises only if the HTTP client is configured to follow redirects.

Impact

Exploitation of this vulnerability results in an unintentional leak of authentication credentials.

Remediation

Users should upgrade to Reactor Netty versions 1.2.8 or 1.3.0-M5, or to the corresponding fixed versions in the 1.0.x or 1.1.x branches. Instructions for obtaining these versions are available on the Spring website.

Added: Jul 16, 2025, 10:25 AM

Updated: Jul 16, 2025, 10:25 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

6.0

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

6.0

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Reactor Netty HTTP Client Authentication Leak Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Spring Reactor Netty

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating