{"id":"CVE-2024-53990","summary":"AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s","details":"The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.","aliases":["GHSA-mfj5-cf8g-g2fv"],"modified":"2026-05-18T05:57:20.082960084Z","published":"2024-12-02T17:10:28.229Z","related":["CGA-xw4h-xx8w-8vm8"],"database_specific":{"cwe_ids":["CWE-287"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53990.json"},"references":[{"type":"ADVISORY","url":"https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-mfj5-cf8g-g2fv"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53990.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53990"},{"type":"REPORT","url":"https://github.com/AsyncHttpClient/async-http-client/issues/1964"},{"type":"FIX","url":"https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425"},{"type":"FIX","url":"https://github.com/AsyncHttpClient/async-http-client/pull/2033"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asynchttpclient/async-http-client","events":[{"introduced":"0"},{"fixed":"6bd376ad336a237ef02a632df0042d4eb22e2d32"}]}],"versions":["async-http-client-project-2.12.3","async-http-client-project-3.0.0","async-http-client-project-3.0.0.Beta3","async-http-client-project-3.0.0.Beta2","async-http-client-project-2.12.2","async-http-client-project-2.12.1","async-http-client-project-2.12.0","async-http-client-project-2.11.0","async-http-client-project-2.10.5","async-http-client-project-2.10.4","async-http-client-project-2.10.3","async-http-client-project-2.10.2","async-http-client-project-2.10.1","async-http-client-project-2.10.0","async-http-client-project-2.9.0","async-http-client-project-2.8.1","async-http-client-project-2.8.0","async-http-client-project-2.7.0","async-http-client-project-2.6.0","async-http-client-project-2.5.4","async-http-client-project-2.5.3","async-http-client-project-2.5.2","async-http-client-project-2.5.1","async-http-client-project-2.5.0","async-http-client-project-2.4.9","async-http-client-project-2.4.8","async-http-client-project-2.4.7","async-http-client-project-2.4.6","async-http-client-project-2.4.5","async-http-client-project-2.4.4","async-http-client-project-2.4.3","async-http-client-project-2.4.2","async-http-client-project-2.4.1","async-http-client-project-2.4.0","async-http-client-project-2.3.0","async-http-client-project-2.2.1","async-http-client-project-2.2.0","async-http-client-project-2.1.2","async-http-client-project-2.1.1","async-http-client-project-2.1.0","async-http-client-project-2.1.0-RC4","async-http-client-project-2.1.0-RC3","async-http-client-project-2.1.0-RC2","async-http-client-project-2.1.0-RC1","async-http-client-project-2.1.0-alpha26","async-http-client-project-2.1.0-alpha25","async-http-client-project-2.1.0-alpha24","async-http-client-project-2.1.0-alpha23","async-http-client-project-2.1.0-alpha22","async-http-client-project-2.1.0-alpha21","async-http-client-project-2.1.0-alpha20","async-http-client-project-2.1.0-alpha19","async-http-client-project-2.1.0-alpha18","async-http-client-project-2.1.0-alpha17","async-http-client-project-2.1.0-alpha16","async-http-client-project-2.1.0-alpha15","async-http-client-project-2.1.0-alpha14","async-http-client-project-2.1.0-alpha13","async-http-client-project-2.1.0-alpha12","async-http-client-project-2.1.0-alpha11","async-http-client-project-2.1.0-alpha10","async-http-client-project-2.1.0-alpha9","async-http-client-project-2.1.0-alpha8","async-http-client-project-2.1.0-alpha7","async-http-client-project-2.1.0-alpha6","async-http-client-project-2.1.0-alpha5","async-http-client-project-2.1.0-alpha4","async-http-client-project-2.1.0-alpha3","async-http-client-project-2.1.0-alpha2","async-http-client-project-2.0.24","async-http-client-project-2.0.23","async-http-client-project-2.0.22","async-http-client-project-2.0.21","async-http-client-project-2.0.20","async-http-client-project-2.0.19","async-http-client-project-2.0.18","async-http-client-project-2.0.17","async-http-client-project-2.0.16","async-http-client-project-2.0.15","async-http-client-project-2.0.14","async-http-client-project-2.0.13","async-http-client-project-2.0.12","async-http-client-project-2.0.11","async-http-client-project-2.0.10","async-http-client-project-2.0.9","async-http-client-project-2.0.8","async-http-client-project-2.0.7","async-http-client-project-2.0.6","async-http-client-project-2.0.5","async-http-client-project-2.0.4","async-http-client-project-2.0.3","async-http-client-project-2.0.2","async-http-client-project-2.0.1","async-http-client-project-2.0.0","async-http-client-project-2.0.0-RC21","async-http-client-project-2.0.0-RC20","async-http-client-project-2.0.0-RC19","async-http-client-project-2.0.0-RC18","async-http-client-project-2.0.0-RC17","async-http-client-project-2.0.0-RC16","async-http-client-project-2.0.0-RC15","async-http-client-project-2.0.0-RC14","async-http-client-project-2.0.0-RC13","async-http-client-project-2.0.0-RC12","async-http-client-project-2.0.0-RC11","async-http-client-project-2.0.0-RC10","async-http-client-project-2.0.0-RC9","async-http-client-project-2.0.0-RC8","async-http-client-project-2.0.0-RC7","async-http-client-project-2.0.0-RC6","async-http-client-project-2.0.0-RC5","async-http-client-project-2.0.0-RC4","async-http-client-project-2.0.0-RC3","async-http-client-project-2.0.0-RC2","async-http-client-project-2.0.0-RC1","async-http-client-project-2.0.0-alpha27","async-http-client-project-2.0.0-alpha26","async-http-client-project-2.0.0-alpha25","async-http-client-project-2.0.0-alpha24","async-http-client-project-2.0.0-alpha23","async-http-client-project-2.0.0-alpha22","async-http-client-project-2.0.0-alpha21","async-http-client-project-2.0.0-alpha20","async-http-client-project-2.0.0-alpha19","async-http-client-project-2.0.0-alpha18","async-http-client-project-2.0.0-alpha17","async-http-client-project-2.0.0-alpha16","async-http-client-project-2.0.0-alpha15","async-http-client-project-2.0.0-alpha14","async-http-client-project-2.0.0-alpha13","async-http-client-project-2.0.0-alpha12","async-http-client-project-2.0.0-alpha11","async-http-client-project-2.0.0-alpha10","async-http-client-project-2.0.0-alpha9","2.0.0-alpha8","2.0.0-alpha7","2.0.0-alpha6","2.0.0-alpha5","2.0.0-alpha4","2.0.0-alpha3","2.0.0-alpha2","2.0.0-alpha1","async-http-client-1.7.4","async-http-client-1.7.3","async-http-client-1.7.2","async-http-client-1.7.1","async-http-client-1.7.0","async-http-client-1.6.3","async-http-client-1.6.2","async-http-client-1.6.1","async-http-client-1.6.0","async-http-client-1.5.0","async-http-client-1.4.1","async-http-client-1.4.0","async-http-client-1.3.2","async-http-client-1.3.1","async-http-client-1.3.0","async-http-client-1.2.0","async-http-client-1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53990.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}