AsyncHttpClient Cross-Origin Redirect Credential Leakage Vulnerability

A vulnerability in the AsyncHttpClient library allows for the unintentional forwarding of sensitive authorization headers and Realm credentials to arbitrary redirect targets. This issue is present in versions prior to 3.0.9 and 2.14.5. The vulnerability arises when redirect following is enabled, as the library fails to properly manage authorization headers during cross-domain redirects or downgrades from HTTPS to HTTP. As a result, an attacker controlling the redirect target can intercept Bearer tokens, Basic authentication credentials, or any other value from the Authorization header.

Impact

Exploitation of this vulnerability leads to the unauthorized disclosure of authorization credentials, including Bearer tokens and Basic authentication details, to untrusted redirect targets.

Reproduction

To reproduce this vulnerability, send an HTTP request with an Authorization header to a server that will respond with a redirect to a different domain or an HTTP URL. Ensure that the redirect follows cross-origin rules or downgrades from HTTPS to HTTP. The Authorization header will be forwarded to the redirect target, leaking the credentials.

Remediation

Users should upgrade to AsyncHttpClient versions 3.0.9 or 2.14.5, where this vulnerability has been patched. For those unable to upgrade, it's recommended to disable redirect following and manage redirects manually, or to use the stripAuthorizationOnRedirect option in the client configuration.