CVE-2025-22227
Reactor Netty HTTP is vulnerable to credential leaks during chained redirects
6.1
MEDIUM
CVSS 3.1
EPSS 0.11%
Description
In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
How to fix CVE-2025-22227
To remediate CVE-2025-22227, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.0-M5 or later
Is CVE-2025-22227 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.3.0-M1, < 1.3.0-M5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |