CVE-2025-22227
📋 TL;DR
The Reactor Netty HTTP client can leak credentials when configured to follow redirects in specific chained redirect scenarios. This affects applications using vulnerable versions of Reactor Netty that have redirect following enabled. The vulnerability exposes authentication credentials to unintended third parties.
💻 Affected Systems
- Reactor Netty HTTP client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Authentication credentials (tokens, passwords, API keys) are exposed to malicious servers during redirect chains, leading to account compromise and unauthorized access to protected resources.
Likely Case
Credentials are unintentionally sent to intermediate servers during legitimate redirect scenarios, potentially exposing them to third-party services that shouldn't receive authentication data.
If Mitigated
With proper network segmentation and credential management, exposure is limited to non-sensitive systems, but credential leakage still occurs.
🎯 Exploit Status
Requires attacker to control or intercept redirect chain. Exploitation depends on specific application behavior and redirect configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Spring Security advisory for specific fixed versions
Vendor Advisory: https://spring.io/security/cve-2025-22227
Restart Required: Yes
Instructions:
1. Review Spring Security advisory for exact affected versions
2. Update Reactor Netty to patched version
3. Restart affected applications
4. Verify redirect behavior in test environment
🔧 Temporary Workarounds
Disable redirect following
allConfigure Reactor Netty HTTP client to not follow redirects
Configure HttpClient with .followRedirect(false)
Implement custom redirect handler
allCreate custom redirect logic that validates redirect targets before sending credentials
Implement custom RedirectHandler that validates URLs before sending sensitive headers
🧯 If You Can't Patch
- Disable HTTP redirect following in all Reactor Netty client configurations
- Implement network monitoring for credential leakage to unauthorized domains
- Use separate authentication tokens for different services to limit blast radius
🔍 How to Verify
Check if Vulnerable:
Check if application uses Reactor Netty HTTP client with redirect following enabled. Review configuration for .followRedirect(true) or similar settings.Check Version:
Check build.gradle or pom.xml for Reactor Netty version, or use application's dependency reporting toolsVerify Fix Applied:
After patching, test redirect scenarios with monitoring to ensure credentials are not sent to unauthorized redirect targets.📡 Detection & Monitoring
Log Indicators:
- Multiple redirects in HTTP client logs
- Credentials sent to unexpected domains in network logs
- HTTP 3xx responses followed by authentication attempts
Network Indicators:
- HTTP traffic showing authentication headers sent to multiple domains in redirect chain
- Credentials appearing in requests to unexpected servers
SIEM Query:
http.status_code:3* AND http.request.headers.authorization:* AND destination.domain NOT IN (allowed_domains)