CVE-2025-27820: Apache HttpClient disables domain checks
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.
References
- github.com/advisories/GHSA-73m2-qfq3-56cx
- github.com/apache/httpcomponents-client
- github.com/apache/httpcomponents-client/pull/574
- github.com/apache/httpcomponents-client/pull/621
- hc.apache.org/httpcomponents-client-5.4.x/index.html
- lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8
- nvd.nist.gov/vuln/detail/CVE-2025-27820
Code Behaviors & Features
Detect and mitigate CVE-2025-27820 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →