CVE-2025-22227
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| VMware | Reactor Netty | 1.0.x < 1.0.49 (Reactor BOM 2020.0.48) | affected |
| VMware | Reactor Netty | 1.1.x < 1.1.32 (Reactor BOM 2022.0.27 and 2023.0.20) | affected |
| VMware | Reactor Netty | 1.2.x < 1.2.8 (Reactor BOM 2024.0.8) | affected |
| VMware | Reactor Netty | 1.3.x < 1.3.0-M5 (Reactor BOM 2025.0.0-M5) | affected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.