CVE-2025-22227: Reactor Netty HTTP is vulnerable to credential leaks during chained redirects

July 16, 2025

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

References

github.com/advisories/GHSA-4q2v-9p7v-3v22
github.com/reactor/reactor-netty
github.com/reactor/reactor-netty/commit/522892307ea89bf24fe634e8bfea35728c9bf411
nvd.nist.gov/vuln/detail/CVE-2025-22227
spring.io/security/cve-2025-22227

Code Behaviors & Features

Detect and mitigate CVE-2025-22227 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →