GHSA-q6gh-6v2r-hjv3: Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers
The Micronaut DefaultHttpClient component improperly forwards sensitive headers such as Authorization, Cookie, and Proxy-Authorization to redirect targets across different domains. Additionally, it lacks a maximum redirect count, allowing potential infinite redirect loops causing denial of service. This behavior affects versions prior to patched releases in Micronaut 3, 4, and 5.
AI Analysis
Technical Summary
The vulnerability in Micronaut's DefaultHttpClient causes it to follow HTTP redirects while forwarding sensitive headers (Authorization, Cookie, Proxy-Authorization) to redirect targets even across domain boundaries. The implemented blocklist only filters certain headers (Host, Connection, TE, CT, CL), which is insufficient to prevent leakage of sensitive credentials. Furthermore, the client does not enforce a maximum redirect count, enabling attackers to trigger infinite redirect loops leading to denial of service. The issue affects DefaultHttpClient.java in specified lines and has been addressed by stripping sensitive headers on cross-domain redirects in patched versions of Micronaut 3.10.6 and later, 4.10.24 and later, and 5.0.1 and later.
Potential Impact
Sensitive authentication headers can be leaked to unintended domains during HTTP redirects, potentially exposing credentials or session tokens. The lack of a maximum redirect count allows attackers to cause infinite redirect loops, resulting in denial of service conditions. The vulnerability does not impact data integrity or availability beyond the described denial of service and confidentiality risks.
Mitigation Recommendations
Official patches are available and should be applied to remediate this vulnerability. Upgrade to Micronaut versions 3.10.6 or later, 4.10.24 or later, or 5.0.1 or later, depending on your major version. No workarounds are provided. Applying these updates will ensure sensitive headers are stripped on cross-domain redirects and that redirect loops are prevented by enforcing a maximum redirect count.
GHSA-q6gh-6v2r-hjv3: Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers
Description
The Micronaut DefaultHttpClient component improperly forwards sensitive headers such as Authorization, Cookie, and Proxy-Authorization to redirect targets across different domains. Additionally, it lacks a maximum redirect count, allowing potential infinite redirect loops causing denial of service. This behavior affects versions prior to patched releases in Micronaut 3, 4, and 5.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Micronaut's DefaultHttpClient causes it to follow HTTP redirects while forwarding sensitive headers (Authorization, Cookie, Proxy-Authorization) to redirect targets even across domain boundaries. The implemented blocklist only filters certain headers (Host, Connection, TE, CT, CL), which is insufficient to prevent leakage of sensitive credentials. Furthermore, the client does not enforce a maximum redirect count, enabling attackers to trigger infinite redirect loops leading to denial of service. The issue affects DefaultHttpClient.java in specified lines and has been addressed by stripping sensitive headers on cross-domain redirects in patched versions of Micronaut 3.10.6 and later, 4.10.24 and later, and 5.0.1 and later.
Potential Impact
Sensitive authentication headers can be leaked to unintended domains during HTTP redirects, potentially exposing credentials or session tokens. The lack of a maximum redirect count allows attackers to cause infinite redirect loops, resulting in denial of service conditions. The vulnerability does not impact data integrity or availability beyond the described denial of service and confidentiality risks.
Mitigation Recommendations
Official patches are available and should be applied to remediate this vulnerability. Upgrade to Micronaut versions 3.10.6 or later, 4.10.24 or later, or 5.0.1 or later, depending on your major version. No workarounds are provided. Applying these updates will ensure sensitive headers are stripped on cross-domain redirects and that redirect loops are prevented by enforcing a maximum redirect count.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-q6gh-6v2r-hjv3
- Osv Schema Version
- 1.4.0
- Aliases
- []
- Ecosystems
- ["Maven"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a4fa9a168715ace437d3dd8
Added to database: 07/09/2026, 14:01:05 UTC
Last enriched: 07/09/2026, 14:03:25 UTC
Last updated: 07/09/2026, 18:17:32 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.