{"id":"CVE-2025-27820","details":"A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release","aliases":["GHSA-73m2-qfq3-56cx"],"modified":"2026-04-10T05:25:04.795077Z","published":"2025-04-24T12:15:16.723Z","related":["CGA-fgfp-hrmx-3xqq"],"references":[{"type":"WEB","url":"https://hc.apache.org/httpcomponents-client-5.4.x/index.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250516-0003/"},{"type":"FIX","url":"https://github.com/apache/httpcomponents-client/pull/574"},{"type":"FIX","url":"https://github.com/apache/httpcomponents-client/pull/621"},{"type":"FIX","url":"https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/httpcomponents-client","events":[{"introduced":"84cccfe6300bca6b37abd05af527df08a781b677"},{"fixed":"48236f5f1a7b78f4446d2c00c4c25c598148f57b"}],"database_specific":{"versions":[{"introduced":"5.4"},{"fixed":"5.4.3"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27820.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}