2362042 – (CVE-2025-27820) CVE-2025-27820 org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass

Bug 2362042 (CVE-2025-27820) - CVE-2025-27820 org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass

Summary: CVE-2025-27820 org.apache.httpcomponents.client5/httpclient5: Apache HttpComp...

Keywords:
Status:	NEW
Alias:	CVE-2025-27820
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-24 12:01 UTC by OSIDB Bzimport
Modified:	2025-04-29 12:39 UTC (History)
CC List:	74 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-04-24 12:01:10 UTC

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

Note You need to log in before you can comment on or make changes to this bug.

aazores
abrianik
asoldano
ataylor
bbaranow
bmaxwell
brian.stansberry
caswilli
ccranfor
cdewolf
chfoley
cmah
csutherl
darran.lofthouse
dhanak
dkreling
dosoudil
eaguilar
ebaron
ecerquei
eric.wittmann
fjuma
fmariani
fmongiar
ggrzybek
gmalinko
ibek
istudens
ivassile
iweiss
janstey
jclere
jkoehler
jnethert
jolong
jpechane
jpoth
jrokos
jross
jscholz
kaycoth
kholdawa
kverlaen
lcouzens
lgao
lphiri
mnovotny
mosmerov
mskarbek
msochure
msvehla
nipatil
nwallace
pantinor
parichar
pdelbell
pesilva
pjindal
plodge
pmackay
porcelli
rguimara
rkieley
rkubis
rstancel
rstepani
sfroberg
smaestri
swoodman
szappis
tasato
tcunning
tom.jenkinson
yfang