Seal Security

CVE-2025-27820

Apache HttpClient disables domain checks

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

7.5

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Versions

org.apache.httpcomponents.client5:httpclient5 >= 5.4-alpha1 < 5.4.3

Severity

High

Ecosystem

Publish Date

April 24, 2025

Modified Date

May 16, 2025