CVE-2025-27820: Apache HttpClient 5.4.x PSL Validation Logic Bug Disables Domain Checks, Affects Cookie Management and Host Name Verification

In recent times, security vulnerabilities continue to cause havoc in the application ecosystem. When it comes to web application development, Apache HttpClient is a popular library that handles HTTP communication. However, even widely-used libraries like Apache HttpClient are not immune to bugs that could lead to potential security risks. This post discusses a vulnerability, identified as CVE-2025-27820, present in the Apache HttpClient 5.4.x releases that affects the domain checks with regards to the Public Suffix List (PSL).

Description

The Apache HttpClient team discovered a bug within the Public Suffix List (PSL) validation logic (CVE-2025-27820) in HttpClient 5.4.x. This bug disables domain checks, thereby affecting cookie management and host name verification. For those unaware, HttpClient uses the Public Suffix List to ensure the validity of a domain before exchanging cookies or validating server host names. With this validation compromised, an attacker could potentially exploit the vulnerability to hijack cookies or spoof host names.

Exploit Details

On further examination, it turns out that the flaw lies in the org.apache.hc.client5.http.psl.PublicSuffixListParser class. This class is responsible for parsing the Public Suffix List data and building a PublicSuffixList object. The current implementation incorrectly handles wildcard rules, leading to the issue mentioned above. Here's a code snippet that demonstrates the problem:

// The parse() method in org.apache.hc.client5.http.psl.PublicSuffixListParser class
public PublicSuffixList parse(final InputStream in) throws IOException {
    // ...
    for (final String s: buffer.toString().split("[\r\n]+")) {
        if (s.length() ==  || s.startsWith("//")) {
            continue;
        }
        if (s.startsWith("!")) {
            throw new UnsupportedOperationException("Not supported: Rule " + s + " at " + lineNo);
        }
        final int n = s.indexOf(WC_PREFIX);
        if (n == -1) {
            entries.add(s);
        } else {
            throw new UnsupportedOperationException("Not supported: Rule " + s + " at " + lineNo);
            // ['*.domain.com'] should add 'domain.com' to the public suffix list but does not.
        }
    }
    // ...
}

Note that the code snippet above checks for the wildcard string *. in the domain part of the rule. However, if it encounters a wildcard, it throws an UnsupportedOperationException, failing to add the domain to the Public Suffix List. This is clearly an oversight, enabling CVE-2025-27820 to persist in previous releases of Apache HttpClient.

Solution

Fortunately, the vulnerability has been fixed in the HttpClient 5.4.3 release. Please refer to the official Apache HttpClient changelog for more details on the changes. Remaining vigilant of these updates is crucial in ensuring that your applications remain secure against known vulnerabilities.

Conclusion

As developers and maintainers of web applications, we must always stay vigilant and keep up-to-date with security updates in the libraries that we use. CVE-2025-27820 serves as a reminder of the importance of staying informed about security vulnerabilities in widely-used libraries like Apache HttpClient. Upgrading to HttpClient 5.4.3 or above ensures that your applications are protected from this particular vulnerability and continues to enable secure exchanges of cookies and server host name validation.

Timeline

Published on: 04/24/2025 12:15:16 UTC
Last modified on: 04/24/2025 15:15:57 UTC