CVEFinder.io

CVE-2025-27820

⚠ī¸ high
🔍 Scan for this CVE
Summary

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

CVSS Score
7.5
High
EPSS Score
0.1
Exploit Probability
Published Date
2025-04-24
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 68.9% of all 329,456 vulnerabilities in our database.

#102,448
Above average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Apr 24, 2025
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
YES
Can be exploited automatically
đŸ’Ĩ Technical Impact
Partial
Limited system impact
🏆 Discovered By
Joe Gallo (remediation developer)
SSVC data provided by CISA
Last Modified 2025-07-16
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE IDs (Weakness Types)
CWE-295

đŸ“Ļ Affected Products 2

Vendor Product Status Affected Versions
apache httpclient Affected
≥ 5.4 < 5.4.3
netapp ontap_tools Affected
v10

🔗 References 5

https://github.com/apache/httpcomponents-client/pull...
Issue Tracking Patch
https://github.com/apache/httpcomponents-client/pull...
Issue Tracking Patch
https://hc.apache.org/httpcomponents-client-5.4.x/in...
Product
https://lists.apache.org/thread/55xhs40ncqv97qvoocok...
Mailing List Patch
https://security.netapp.com/advisory/ntap-20250516-0...
Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-40542 ⚠ī¸ high 7.3 0.1 Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-... 2026-04-22
CVE-2025-0167 ℹī¸ low 3.4 0.2 When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used fo... 2025-02-05
CVE-2024-52533 ⛔ critical 9.8 3.1 gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CON... 2024-11-11
CVE-2024-38286 ⚠ī¸ high 8.6 0.4 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: ... 2024-11-07
CVE-2024-49761 ⚠ī¸ high 7.5 1.2 REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has ma... 2024-10-28
CVE-2024-47554 đŸ”ļ medium 4.3 0.2 Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader c... 2024-10-03
These CVEs affect the same products