CVE-2025-22227

Summary

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

Affected Software

VendorProductVersion RangeStatus
VMwareReactor Netty1.0.x < 1.0.49 (Reactor BOM 2020.0.48)affected
VMwareReactor Netty1.1.x < 1.1.32 (Reactor BOM 2022.0.27 and 2023.0.20)affected
VMwareReactor Netty1.2.x < 1.2.8 (Reactor BOM 2024.0.8)affected
VMwareReactor Netty1.3.x < 1.3.0-M5 (Reactor BOM 2025.0.0-M5)affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References