CVE-2025-27820

CWE-295 — Improper Certificate Validation8 documents7 sources

Severity

7.5HIGH

EPSS

0.3%

top 44.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Httpcomponents Apache Httpclient Netapp Ontap Tools

Timeline

PublishedApr 24

Latest updateJul 15

Description

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/httpclient5.4 — 5.4.3

▶Mavenorg.apache.httpcomponents.client5:httpclient55.4-alpha1 — 5.4.3

▶CVEListV5apache_software_foundation/apache_httpcomponents5.4.0 — 5.4.3

Also affects: Ontap Tools 10

Patches

Patch: github.com ↗Patch: github.com ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

GHSA

Apache HttpClient disables domain checks↗2025-04-24

▶

CVEList

Apache HttpComponents: PSL (Public Suffix List) validation bypass↗2025-04-24

▶

OSV

Apache HttpClient disables domain checks↗2025-04-24

▶

OSV

CVE-2025-27820: A bug in PSL validation logic in Apache HttpClient 5↗2025-04-24

▶

📋Vendor Advisories

Oracle

Oracle Oracle GoldenGate Risk Matrix: Java Delivery (Apache HttpClient) — CVE-2025-27820↗2025-07-15

▶

Red Hat

org.apache.httpcomponents.client5/httpclient5: Apache HttpComponents: PSL (Public Suffix List) validation bypass↗2025-04-24

▶

Debian

CVE-2025-27820: httpcomponents-client - A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks,...↗2025

▶