CVE-2025-22227: Authentication Leak On Redirect With Reactor Netty HTTP Client

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Basic Information

ID CVE-2025-22227

Source vmware

Published Jul 16, 2025 at 09:31

Modified Jul 16, 2025 at 14:39

Affected Product

Vendor VMware

Product Reactor Netty

Version 1.0.x

Affected Versions VMware Reactor Netty 1.0.x
VMware Reactor Netty 1.1.x
VMware Reactor Netty 1.2.x
VMware Reactor Netty 1.3.x

CWE Classification

CWE-200

References

spring.io /security/cve-2025-22227

{
    "lastseen": "",
    "description": "In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.",
    "published": "2025-07-16T09:31:15.293Z",
    "modified": "2025-07-16T14:39:58.789Z",
    "type": "cve",
    "title": "CVE-2025-22227: Authentication Leak On Redirect With Reactor Netty HTTP Client",
    "source": "vmware",
    "references": "https://spring.io/security/cve-2025-22227",
    "id": "CVE-2025-22227",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "VMware Reactor Netty 1.0.x\nVMware Reactor Netty 1.1.x\nVMware Reactor Netty 1.2.x\nVMware Reactor Netty 1.3.x",
    "sourceHref": "",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Reactor Netty",
    "version": "1.0.x",
    "vendor": "VMware",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

CVE-2025-22227: Authentication Leak On Redirect With Reactor Netty HTTP Client_CVE-2025-22227