CVE-2025-27820

EUVD-2025-12102
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
apachehttpclient
5.4 ≤
𝑥
< 5.4.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
httpcomponents-client
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
oracular
ignored
plucky
ignored
questing
needs-triage
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/apache/httpcomponents-client/pull/574
https://github.com/apache/httpcomponents-client/pull/621
https://hc.apache.org/httpcomponents-client-5.4.x/index.html
https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8
https://security.netapp.com/advisory/ntap-20250516-0003/