Primary

Context

Reactor Netty HTTP Client Credential Leak Vulnerability on Protocol Downgrade Redirect

Vulnerability

Patched

A vulnerability exists in the Reactor Netty HTTP client, versions 1.0.0 prior to 1.0.51, 1.1.0 prior to 1.1.35, 1.2.0 prior to 1.2.17, and 1.3.0 prior to 1.3.5. In certain scenarios where HTTP redirects occur from a secure to an insecure endpoint, the client may unintentionally expose credentials. This issue arises only if the HTTP client is explicitly set to follow redirects.

Impact

Exploitation of this vulnerability could lead to the unintentional leakage of credentials during HTTP redirects from secure to insecure endpoints.

Remediation

Users should upgrade to Reactor Netty version 1.0.52, 1.1.36, 1.2.18, or 1.3.6, depending on their current version. Instructions for upgrading are available on the Spring Enterprise Support site.

Added: Jun 9, 2026, 6:33 AM

Updated: Jun 9, 2026, 6:33 AM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

6.6

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

2.5

exploitability

6.6

remediation

7.7

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Reactor Netty HTTP Client Credential Leak Vulnerability on Protocol Downgrade Redirect

Vulnerability

Impact

Remediation

Affected Products

Reactor Netty

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating