Bug 2380447 (CVE-2025-22227)
| Summary: | CVE-2025-22227 io.projectreactor.netty/reactor-netty: Reactor Netty Credential Leak via Redirects | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, brian.stansberry, darran.lofthouse, dkreling, dosoudil, fmariani, gmalinko, istudens, ivassile, iweiss, janstey, jpoth, mosmerov, msochure, msvehla, nwallace, pdelbell, pesilva, pjindal, pmackay, rstancel, rstepani, smaestri, tcunning, tom.jenkinson, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in io.projectreactor.netty/reactor-netty. Reactor Netty’s HTTP client, when explicitly configured to follow redirects in chained redirect scenarios, can inadvertently leak credentials. This flaw allows an attacker to trigger this credential leakage by manipulating the redirect chain. This issue exposes sensitive information to an attacker who can observe the network traffic.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-07-16 10:01:21 UTC
|