Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to.

Affected Packages

Maven io.projectreactor.netty:reactor-netty

Affected versions: 0 (fixed in 0.8.11)

Related CVEs

CVE-2019-11284

Key Information

GHSA ID

GHSA-j52r-xc68-q8f4

Published

October 23, 2019 2:14 PM

Last Modified

August 18, 2021 9:52 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

io.projectreactor.netty:reactor-netty

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 3, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.