Search criteria
2 vulnerabilities found for Reactor Netty by VMware
CVE-2025-22227 (GCVE-0-2025-22227)
Vulnerability from cvelistv5 – Published: 2025-07-16 09:31 – Updated: 2025-07-16 14:39
VLAI?
Summary
In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
Severity ?
6.1 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | Reactor Netty |
Affected:
1.0.x , < 1.0.49 (Reactor BOM 2020.0.48)
(commercial)
Affected: 1.1.x , < 1.1.32 (Reactor BOM 2022.0.27 and 2023.0.20) (commercial) Affected: 1.2.x , < 1.2.8 (Reactor BOM 2024.0.8) (OSS) Affected: 1.3.x , < 1.3.0-M5 (Reactor BOM 2025.0.0-M5) (OSS) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T14:29:51.229735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T14:39:58.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Reactor Netty",
"product": "Reactor Netty",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.49 (Reactor BOM 2020.0.48)",
"status": "affected",
"version": "1.0.x",
"versionType": "commercial"
},
{
"lessThan": "1.1.32 (Reactor BOM 2022.0.27 and 2023.0.20)",
"status": "affected",
"version": "1.1.x",
"versionType": "commercial"
},
{
"lessThan": "1.2.8 (Reactor BOM 2024.0.8)",
"status": "affected",
"version": "1.2.x",
"versionType": "OSS"
},
{
"lessThan": "1.3.0-M5 (Reactor BOM 2025.0.0-M5)",
"status": "affected",
"version": "1.3.x",
"versionType": "OSS"
}
]
}
],
"datePublic": "2025-07-16T09:26:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T09:31:15.293Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2025-22227"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22227: Authentication Leak On Redirect With Reactor Netty HTTP Client",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22227",
"datePublished": "2025-07-16T09:31:15.293Z",
"dateReserved": "2025-01-02T04:29:59.191Z",
"dateUpdated": "2025-07-16T14:39:58.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22227 (GCVE-0-2025-22227)
Vulnerability from nvd – Published: 2025-07-16 09:31 – Updated: 2025-07-16 14:39
VLAI?
Summary
In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
Severity ?
6.1 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | Reactor Netty |
Affected:
1.0.x , < 1.0.49 (Reactor BOM 2020.0.48)
(commercial)
Affected: 1.1.x , < 1.1.32 (Reactor BOM 2022.0.27 and 2023.0.20) (commercial) Affected: 1.2.x , < 1.2.8 (Reactor BOM 2024.0.8) (OSS) Affected: 1.3.x , < 1.3.0-M5 (Reactor BOM 2025.0.0-M5) (OSS) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T14:29:51.229735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T14:39:58.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Reactor Netty",
"product": "Reactor Netty",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.49 (Reactor BOM 2020.0.48)",
"status": "affected",
"version": "1.0.x",
"versionType": "commercial"
},
{
"lessThan": "1.1.32 (Reactor BOM 2022.0.27 and 2023.0.20)",
"status": "affected",
"version": "1.1.x",
"versionType": "commercial"
},
{
"lessThan": "1.2.8 (Reactor BOM 2024.0.8)",
"status": "affected",
"version": "1.2.x",
"versionType": "OSS"
},
{
"lessThan": "1.3.0-M5 (Reactor BOM 2025.0.0-M5)",
"status": "affected",
"version": "1.3.x",
"versionType": "OSS"
}
]
}
],
"datePublic": "2025-07-16T09:26:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T09:31:15.293Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2025-22227"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2025-22227: Authentication Leak On Redirect With Reactor Netty HTTP Client",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22227",
"datePublished": "2025-07-16T09:31:15.293Z",
"dateReserved": "2025-01-02T04:29:59.191Z",
"dateUpdated": "2025-07-16T14:39:58.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}