CVE-2025-27820
Apache HttpClient disables domain checks
7.5
HIGH
CVSS 3.1
EPSS 0.07%
Description
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release.
How to fix CVE-2025-27820
To remediate CVE-2025-27820, upgrade the affected package to a fixed version below.
- Maven/org.apache.httpcomponents.client5:httpclient5—upgrade to 5.4.3 or later
Is CVE-2025-27820 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.4-alpha1, < 5.4.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |