CVE-2025-27820 Information

Description

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

Reference

https://github.com/apache/httpcomponents-client/pull/574 https://github.com/apache/httpcomponents-client/pull/621 https://hc.apache.org/httpcomponents-client-5.4.x/index.html https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8