Apache HttpComponents security advisories

Security information for Apache HttpComponents

Reporting

Do you want disclose a potential security issue for Apache HttpComponents? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

HPackDecoder Unlimited Header List Size Before SETTINGS ACK

CVE-2026-54428 [CVE] [CVE json] [OSV json]

Last updated: 2026-07-01T17:05:28.114Z

Affected

  • Apache HttpComponents Core from 5.5-alpha through 5.5-beta1
  • Apache HttpComponents Core from 5.0-alpha through 5.4.2

Description

Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.

References

Credits

Unbounded HTTP Header/Line Length in Default Configuration

CVE-2026-54399 [CVE] [CVE json] [OSV json]

Last updated: 2026-07-01T17:05:54.930Z

Affected

  • Apache HttpComponents Core from 5.5-alpha through 5.5-beta1
  • Apache HttpComponents Core from 5.0-alpha through 5.4.2

Description

Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length

References

Credits

SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification

CVE-2026-40542 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-22T07:07:19.055Z

Affected

  • Apache HttpClient from 5.6 before 5.6.1

Description

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

References

Credits

  • Rasmus Moorats (finder)

PSL (Public Suffix List) validation bypass

CVE-2025-27820 [CVE] [CVE json] [OSV json]

Last updated: 2025-06-04T11:19:13.066Z

Affected

  • Apache HttpComponents from 5.4.0 before 5.4.3

Description

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

References

Credits

  • Joe Gallo (remediation developer)